Skip to content

RBAC policy

Jump to bottom Edit New page
pyllyukko edited this page Nov 16, 2016 · 17 revisions

Strategy

  • Start off with the example policy provided with gradm
  • Decide what is sensitive and put that into $grsec_denied
  • First create the basic role layout
    • Create a domain for all regular users
    • Configure the default role with / h, -CAP_ALL, connect disabled & bind disabled
  • Use policy inheritance as much as possible to keep the policy file small and manageable
  • Restrict all capabilities by default
  • Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
  • Double-check policy tweaks from a separate reference policy created with full system learning
  • Use inheritance for those problematic subjects that call stuff from everywhere (/usr/lib64/pm-utils/bin/pm-action is one example)

Details

Add a custom footer
Add a custom sidebar
Clone this wiki locally