[grsec] automattic policy adding?

John Anderson johnha at ccbill.com
Wed May 11 21:28:11 EDT 2005


role default G  <=== Group everyone who is not assigned a specific role 
into this group (only because the role name is default).

role allow_transitions admin <=== Allow anyone in the default group to 
become grsec admin (probably not what you want to do, but for testing...)

subject  /  {  <== Define the access list for / when accessed from role 
default.
/   h  <=== Hide everything from default role
}

So basically, when you gradm -E you are telling grsec to hide everything 
from you, including the gradm binary that allows you to change roles!  
So your default role is allowed to transition to admin by invoking gradm 
-a admin, but your /    h object is hiding everything including bash, 
libc, etc. that will allow you to actually run the gradm binary.


Igor Gueths wrote:

>Hi all. I was just curious as to how this is supposed to work...If you have a role which goes something like this:
>role default G
>role_allow_transitions admin
>subject /
>/ h
>
>According to the comments in the default policy file that ships with Gradm:
>G -> This role can use gradm to authenticate to the kernel
>#      A polciy for gradm will automatically be added to the role
>
>When in fact nothing is added that I can see to my policy file. In fact if I leave it as above and enable the RBAC system, I effectively lock myself out of the system and need to reboot...By 
>shutting off the power. Am I misunderstanding something here? Or was that said in error? Thanks!
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>grsecurity mailing list
>grsecurity at grsecurity.net
>http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>  
>

-- 
- John A.
Systems Administrator
CCBill, LLC.




More information about the grsecurity mailing list