Page 1 of 1
learing mode for objects
Posted:
Tue Oct 29, 2002 11:45 am
by piavka
Can the learing mode of grsec be modified so that, i could specify it for
objects too, for example:
/ {
/ r
/usr rl <-----
/etc rx
/etc/grsec h
....
}
this way i don't need to allow learing mode for the whole /, since this way i
can protect other directories and not leave all the system open, like
/ l {
/ r
/usr r
/etc rx
/etc/grsec h
....
}
or is there some workarount to get this functionality?
ps. As i understand this setup
/ {
/ r
/usr rl
/etc rx
/etc/grsec h
....
}
/usr lo {
/usr r
}
is illegal.
Thanks
Posted:
Tue Oct 29, 2002 5:28 pm
by spender
what you probably want is this:
/usr l {
}
subjects can be both files and directories.
-Brad
Posted:
Wed Oct 30, 2002 9:05 am
by piavka
Thanks, removing the o option from subject (then subject is a dirctory
solved my problem). But why can't i specify the o option for a dirctory subject?
If i do like this:
/usr lo {
}
gradm says that /usr has no default acl, and i thought that
/ {
....
}
should be default acl for all it's subdirectories subjects too, not only for the executable subjects, isn't it so?
another question is: if i have
/ {
/usr/kkk rx
....
}
/usr l {
/usr r
}
if some process needs to write into /usr/kkk, will it be able to do so?
I mean which object will be used for authentication?
/usr/kkk rx
or
/usr r
If "/usr r" is used then the process will be able to write into /usr/kkk,
because /usr subject is in learning mode. But i need that "/usr/kkk rx"
will be used from the / subject and deny the write.
Thanks.
Posted:
Wed Oct 30, 2002 9:45 am
by spender
if you specify o in the subject mode, you need to at least provide a rule for /. Specifying o in the subject mode means you don't want to inherit any ACLs from parent directories. So what you would need is at least:
/usr lo {
/ h
}
or whatever you want the default rule for / to be.
-Brad
Posted:
Wed Oct 30, 2002 10:03 am
by piavka
regarding my second question:
I don't want processes to be able to write into /usr/kkk
and i have this setup:
/ {
/usr/kkk rx
....
}
/usr l {
/usr r
}
would expand /usr to the following, once inheritance was calculated:
/usr l {
/usr r
/usr/kkk rx
}
yes or no??????
if yes,then processes will be able to write into /usr/kkk, because /usr subject is in learing mode. yes or no???
If prcoesses are able to write into /usr/kkk, how should i change the setup
ot deny it?
Thanks a lot.