special role at boot?!

Discuss and suggest new grsecurity features

special role at boot?!

Postby Löwe » Wed Aug 11, 2004 5:23 am

Hello,

I'm pretty new to grsecurity, yesterday I just successfully set up 2.6.7-grsec. I wrote several ACLs for various subjects and everything is working fine. After the boot-process I enabled grsec with "gradm -E". To shut down the system, I can switch to a special admin role with the needed priviledges first, ok.

But it will be nice if I could tell grsec to use a special role, for example "boot" when the system boots. I don't want to give the scripts in /etc/init.d/network the needed rights for the default role. And I don't want to touch the scripts from my distribution to add a line with "gradm -n boot".

btw: LIDS uses a similar technique, after the boot-process you have to init the LIDS-ACL with "lidasdm -S" or something like that..
Löwe
 
Posts: 2
Joined: Wed Aug 11, 2004 5:08 am

Postby spender » Wed Aug 11, 2004 7:32 am

Why not protect the scripts and the files they read from being modified and keep everyone out of the system during boot-up? (run one firewall script that prevents all incoming connections before boot, turn off the script after everything is booted and gradm is enabled)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Löwe » Wed Aug 11, 2004 9:22 am

Hello Brad!

thank you very much for your rapid answer :D

I understand that the grsec-ACL-System will be enabled only after a call of "gradm -E", am I right? That will solve my problem! I thought that the acl-system is " always on" after the kernel boots if it finds the file /etc/grsec/policy. My problem is, I don't want to reboot the machine untill tomorrow, because if something goes wrong in the boot-process I cannot access the machins anymore:)

btw: is there a kernel-Parameter, so that I can disable grsec globally?

with kind regards
Löwe
 
Posts: 2
Joined: Wed Aug 11, 2004 5:08 am

Postby spender » Wed Aug 11, 2004 9:39 am

You're right about gradm -E. There is no kernel parameter for turning grsec off globally, though.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development