grsecurity forums

Skip to content

How to get starting with RBAC? [lame question] -add a role

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

How to get starting with RBAC? [lame question] -add a role

Postby Raf256 » Thu Dec 29, 2005 2:30 pm

I wanted to start playing with RBAC, but I cant find a proper howto concerning simple questions:

1. how to build gradm2 (it was easy anyway, just ./configure && make install as root, as usuall)

2. how to add a role (I want a role called "raf256adm" - to which user "raf256" will authenticate with a password if he want to do speciall, administrative tasks. That is how it should be done right?)
I tried adding "role raf256adm l" as in:
# tail /etc/grsec/policy

subject /sbin/klogd
+CAP_SYS_ADMIN

subject /usr/sbin/cron
/dev/log rw

role raf256adm l

but it didnt worked:

# gradm -E
No role type specified for raf256adm on line 266 of /etc/grsec/policy.
The RBAC system will not be allowed to be enabled until this error is fixed.


3. how to learn the system
4. how to backup learning state, restore it, hand edit
5. how to enable, disable the protection basing on learned/edited rules
6. example - a simple C program that does something without RBAC, and that is stoped for doing it while protection is activated
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Top

Postby Raf256 » Fri Dec 30, 2005 12:56 am

As Spender told me on IRC, changing "l" to "ls" fixed the problem,
role raf256adm ls
at end of /etc/grsec/policy
also I needed to create password for that role,
gradm -P raf256adm
Raf256
 
Posts: 72
Joined: Mon Sep 19, 2005 8:38 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group
cron