couple of questions regarding Grsec ACL

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

couple of questions regarding Grsec ACL

Postby michthien » Tue Mar 01, 2005 2:20 am

Hi,

I am building some ACLs for grsecurity and had two questions:

1). What does an object with no mode after it have as an ACL? So for instance (taken from the default 'policy' supplied with gradm):

subject /
/ r
/dev
/dev/grsec h
.
.
.
etc...

What would be the ACL for /dev?

(From my tests, it appears to be
non-executable, can't be written to, can't be read, but is not hidden..)

2) Is there any way to read what the ACL for a subject is using e.g., gradm (the documentation mentions a 'T' flag, but this appears to have been discontinued, possibly for security reasons...)


Thanks for any help!

Best regards.

C.
michthien
 
Posts: 1
Joined: Tue Mar 01, 2005 2:17 am

Postby spender » Tue Mar 01, 2005 9:38 am

All logs will tell you what role and subject a violation belonged to.
As for objects without a mode, it's an implicit "find" operation. This means you can change to the directory (if it is a directory), list directory contents, stat the file, but nothing that reads, writes, or otherwise modifies the file.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support