[grsec] effective dual roles / suggested enhancements

[jnf]

> If possible, use non-world-accessible home directories, then all
> policies in /home can be done with /home/*/.bash_history, etc in a group
> role, and any special users can be given their own user roles.

Ok, assuming I am understanding this correctly - I would do (in a group
role) like:

/home/*/.bash_history               rac

Wouldn't that give everyone in the group read/append/create access to
everyone elses home directories? I think I am misunderstanding something
there.



> What you're probably looking for then is already implemented as domains.
> You can also use $HOME in your policy.

Yes, I started in using the domains, however the (assumed) lack of env
variables was the problem- I didn't see any good way of grouping them
together into domains with their home directory, however having $HOME
being supported changes the entire makeup of things and is _very_ much
appreciated. Are there any other keywords that are supported?

>
> You're doing it wrong.  The auditing flags only enable auditing, they
> don't grant any permission.  I suppose however I could change this
> behavior, as it wouldn't break anything.

So I would need like:

/path    RWCDXrwcdx

to get my desired effect?
Hrm, I suppose it makes sense, it just never occured to me while sifting
through the documentation.

>
> I don't have a timeline for this, though it is on my TODO list.

Either way I am going to contact you offlist about such things, I
appreciate the hard work, I do a little kernel hacking myself and have
looked through various aspects of your patch and I appreciate the effort
put into it.


> -Brad
>

jnf