-
Notifications
You must be signed in to change notification settings - Fork 9
RBAC policy
pyllyukko edited this page Dec 16, 2016
·
17 revisions
- Start off with the example policy provided with
gradm - Decide what is sensitive and put that into
$grsec_denied - First create the basic role layout
- Create a
domainfor all regular users - Configure the default role with
/ h,-CAP_ALL,connect disabled&bind disabled
- Create a
- Create a sane (somewhat permissive) default subject for all interactive user roles, so that all the basic command line tools etc. work without having a separate subject
- For system/service roles, try to utilize full system learning generated policies, as they (should) have quite limited and predefined functionality and behavior. These should also have very restrictive default subject.
- Use policy inheritance as much as possible to keep the policy file small and manageable
- Restrict all capabilities by default
- Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
- Double-check policy tweaks from a separate reference policy created with full system learning
- Use inheritance for those problematic subjects that call stuff from everywhere (
/usr/lib64/pm-utils/bin/pm-actionis one example)
/usr/sbin/tigercron/usr/bin/rkhunter/usr/lib64/pm-utils/bin/pm-action/usr/lib64/sa/sa2
For most users the following should be enough:
/bin rx
/usr/bin rx
/usr/lib rx
/usr/lib64 rx
/usr/libexec rx
/usr/share rx
/lib rx
/lib64 rx
Remove stuff like /lib32, /libx32 & /lib64/modules, as they don't exist in Slackware system.
NTP settles for so little <3
# Role: root
subject /usr/sbin/ntpd o {
/ h
/etc/ntp/drift rwcd
/etc/ntp/drift.TEMP rwcd
-CAP_ALL
+CAP_SYS_TIME
}
# Role: root
subject /sbin/init o {
}
# Role: root
subject /bin/login
# Role: users
subject /bin/login
/dev/log rw
bind disabled
connect disabled
# Role: root
subject /sbin/agetty
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
+CAP_SYS_ADMIN for users?
# Role: root
subject /usr/bin/sudo
/dev/log rw
/var/log/sudo.log a
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
bind disabled
connect disabled
# Role: users
subject /usr/bin/sudo
-CAP_ALL
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_RESOURCE
bind disabled
connect disabled
sock_allow_family netlink
-
/dev/dri/card0is for Xorg
domain users u pyllyukko
subject /
/ r
/bin rx
/dev
/dev/dri h
/dev/dri/card0 rw
/dev/fuse rw
/dev/null rw
/dev/zero rw
/dev/ptmx rw
/dev/pts rw
/dev/shm rwcd
/dev/tty rw
/dev/tty? rw
/dev/urandom r
/dev/random r
/tmp rwcd
/var/tmp rwcd
$grsec_denied