[grsec] effective dual roles / suggested enhancements

Brad Spengler spender at grsecurity.net
Wed Jan 12 22:23:03 EST 2005


> domain spender u brad1 brad2
> subject /bin/blah
>   ...
>   $HOME/.bash_history ra
> 
> and have it expanded to /home/brad1 for user brad1 and /home/brad2 for
> user brad2?

Sorry, I was wrong about this earlier.  Since domains are interpreted in 
the kernel (that is, they are basically a single role with a bunch of 
uids or gids attached to it that share the same policy), we can't do 
different policy for each user.  I've corrected gradm so that it errors 
upon use of $HOME with a domain.  I suggest using the /home/*/blah rules 
and setting your DAC permissions appropriately.

> BTW Did you ever implement continuation lines for domains?  A domain with
> many users/groups is rather difficult to read in simple editors like vi or
> pico and definately if the policy is printed out.

This is in gradm now.

domain somedomain u user1 user2 \
        user3 user4 user5 user6 \
	user7 ..etc

-Brad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20050112/b4b7c9ac/attachment.pgp


More information about the grsecurity mailing list