RBAC policy

Strategy

• Start off with the example policy provided with gradm
• Decide what is sensitive and put that into $grsec_denied
• First create the basic role layout
  • Create a domain for all regular users
  • Configure the default role with / h, -CAP_ALL, connect disabled & bind disabled
• Create a sane (somewhat permissive) default subject for all interactive user roles, so that all the basic command line tools etc. work without having a separate subject
• For system/service roles, try to utilize full system learning generated policies, as they (should) have quite limited and predefined functionality and behavior. These should also have very restrictive default subject.
• Use policy inheritance as much as possible to keep the policy file small and manageable
• Restrict all capabilities by default
• Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
• Double-check policy tweaks from a separate reference policy created with full system learning
• Use inheritance for those problematic subjects that call stuff from everywhere (/usr/lib64/pm-utils/bin/pm-action is one example)

inherit-learn

• /usr/sbin/tigercron
• /usr/bin/rkhunter
• /usr/lib64/pm-utils/bin/pm-action

Details

/lib*

Remove stuff like /lib32, /libx32 & /lib64/modules, as they don't exist in Slackware system.

NTP

# Role: root
subject /usr/sbin/ntpd o {
        /                               h
        /etc/ntp/drift                  rwcd
        /etc/ntp/drift.TEMP             rwcd
        -CAP_ALL
        +CAP_SYS_TIME
}

/bin/login

# Role: root
subject /bin/login

# Role: users
subject /bin/login
	/dev/log                        rw
        bind    disabled
        connect disabled

/sbin/agetty

# Role: root
subject /sbin/agetty

/usr/bin/sudo

# Role: root
subject /usr/bin/sudo

# Role: users
subject /usr/bin/sudo