-
Notifications
You must be signed in to change notification settings - Fork 9
RBAC policy
pyllyukko edited this page Nov 16, 2016
·
17 revisions
- Start off with the example policy provided with
gradm
- Decide what is sensitive and put that into
$grsec_denied
- First create the basic role layout
- Create a
domain
for all regular users - Configure the default role with
/ h
,-CAP_ALL
,connect disabled
&bind disabled
- Create a
- Create a sane (somewhat permissive) default subject for all interactive user roles, so that all the basic command line tools etc. work without having a separate subject
- For system/service roles, try to utilize full system learning generated policies, as they (should) have quite limited and predefined functionality and behavior. These should also have very restrictive default subject.
- Use policy inheritance as much as possible to keep the policy file small and manageable
- Restrict all capabilities by default
- Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
- Double-check policy tweaks from a separate reference policy created with full system learning
- Use inheritance for those problematic subjects that call stuff from everywhere (
/usr/lib64/pm-utils/bin/pm-action
is one example)