grsecurity forums

by **nux** » Fri Apr 04, 2008 12:00 pm

I was wondering if it was possible to setup grsec RBAC to just simply set one file read only. I've setup the RBAC in the past and it turned out to be more than necessary on the server. Now I'd just like to set an AIDE database read only. I understand /etc/grsec and a few other files will need to be hidden too, but maintaining a policy for /bin as an example is what I'm trying to avoid.

Is this possible?

Thanks

by **cormander** » Fri Apr 04, 2008 3:04 pm

Hello,

This is about as minimum a security policy as gradm will let you have. If you remove almost any of these lines, gradm will complain and won't enabled the RBAC system. I made this based off of the policy that ships with grsecurity, slightly modified to slim it down to as bare as I could get it for you.

I do recommend you use something a little more secure.. but this is better then nothing.

Code: Select all: role admin sA subject / rvka / rwcdmlxi role default G role_transitions admin subject / / rwxcd /dev /dev/grsec h /dev/urandom r /dev/random r /dev/zero rw /dev/input rw /dev/psaux rw /dev/null rw /dev/tty? rw /dev/console rw /dev/tty rw /dev/pts rw /dev/ptmx rw /dev/dsp rw /dev/mixer rw /dev/initctl rw /dev/fd0 r /dev/cdrom r /dev/mem h /dev/kmem h /dev/port h /etc rx /etc/grsec h /proc rwx /proc/kcore h /proc/sys r /root r /tmp rwcd /var/tmp rwcd /boot h /sys r /lib rx /usr/lib rx /usr/local/sbin rx /usr/local/bin rx /sbin rx /bin rx /usr/sbin rx /usr/bin rx /usr/X11R6/bin rx -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_MKNOD -CAP_SYS_ADMIN -CAP_SYS_BOOT -CAP_NET_ADMIN -CAP_NET_BIND_SERVICE -CAP_SYS_TTY_CONFIG

grsecurity forums

Very simple (too simple?) RBAC policy

Very simple (too simple?) RBAC policy

Re: Very simple (too simple?) RBAC policy