[grsec] A couple of questions.. about how to use roles effectively.

[Miguel Filipe]

Hi there,

I'm doing learning for two roles of the two user acount used in my
computer, that root and "miguel".

1)
I'm doing this because I run a bunch of apps has root:
cpudynd, ppbuttonsd(hardware manager for lcd brightness, sound volume, etc..)
gpm, and without this role, they were failing due to the default role
not being in learning mode.
Is it advisable to have a role for user root ?

2)
Also, on the default role, I've put some subjects that are setuids or
regular services (fcron/syslog-ng/vsftpd/gpg etc..) in learning
mode...
Since there is a role for root, and those processes are running has
root (no ftp clients logged in). Does putting this subjects in
learning mode makes any sence ?

3)
With grsec1 I've created policies only for certain apps/services, and
the rest of the system didn't had ACLs...
I think that this methodology is good since it offers a added
robustness, but without having butloads of ACLS for the entire system.
(and the trouble of configuring them well)

With grsec2, I though  about creating a policy for user root (for
everything that runs has root) (without doing sysadm tasks).
Also put services and setuids in learning mode..
and maybe a learning mode for my user.. since I do everything in it..
if this users is compromised the whole system is...rigth?

But, where do I put the setuids and services in learning mode, in which role?
and recurring to question [1] is it advisable to have a role for the root user?

4)
Can I use a regular user (miguel) to do sysadm tasks without su'ing to root?
Like loading and removing modules, starting up and stoping networking
interfacer ..view the system logs.. etc?
(basically does the grsec admin role bypass the tradicional UNIX
permissions.. allowing a "specified non root" user to do modprobe and
rmmod.. and other stuff like that?


TIA, keep up the good work Spender!

-- 
Miguel Sousa Filipe