1. After closing and reopening the mount point all rules related to that network mount are lost. When an application tries to open/read/write file, it gets an error.
For example I have in role:
- Code: Select all
/mnt # (none)
/mnt/server/dir1 rwcd
, with mount point at /mnt/server.
Application fails to write to /mnt/server/dir1 after /mnt/server reconnect/umount and mount again. No entries in logs (usually they appear, when I want to write outside /mnt/server/dir1 in application), messages are displayed only in dmesg.
2. Sometimes I denied completely to mount network shares. I think this is my role misconfiguration, I'll check this. But this happens as described above, without any logs, and second try usually successful.
After gradm -R anything works correctly. But this is annoying, because it breaks any application subject that works with network mounts only. If I enable application to write anywhere (/mnt rwcd), RBAC will be almost useless for me. And reloading rules after every remount or reconnect is annoying thing too.
It is possible to fix this? Or this is regular behavior with network/other (temporary) mounts?
If that helps: I use sshfs, I mount sshfs before enabling RBAC, I mount sshfs with allow_root option.
Big Thanks.
You're right. I believe that this will be fixed in future versions of grsecurity's RBAC, now I have no temporary solution for this. Instead I will try to deal with rights on other side of wire (with loosing control over every program on this side). Thanks for your response.