Skip to content
pyllyukko edited this page Dec 2, 2016 · 17 revisions

Strategy

  • Start off with the example policy provided with gradm
  • Decide what is sensitive and put that into $grsec_denied
  • First create the basic role layout
    • Create a domain for all regular users
    • Configure the default role with / h, -CAP_ALL, connect disabled & bind disabled
  • Create a sane (somewhat permissive) default subject for all interactive user roles, so that all the basic command line tools etc. work without having a separate subject
  • For system/service roles, try to utilize full system learning generated policies, as they (should) have quite limited and predefined functionality and behavior. These should also have very restrictive default subject.
  • Use policy inheritance as much as possible to keep the policy file small and manageable
  • Restrict all capabilities by default
  • Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
  • Double-check policy tweaks from a separate reference policy created with full system learning
  • Use inheritance for those problematic subjects that call stuff from everywhere (/usr/lib64/pm-utils/bin/pm-action is one example)

Details

/lib*

Remove stuff like /lib32, /libx32 & /lib64/modules, as they don't exist in Slackware system.

NTP

# Role: root
subject /usr/sbin/ntpd o {
        /                               h
        /etc/ntp/drift                  rwcd
        /etc/ntp/drift.TEMP             rwcd
        -CAP_ALL
        +CAP_SYS_TIME
}
Clone this wiki locally