-
Notifications
You must be signed in to change notification settings - Fork 9
RBAC policy
pyllyukko edited this page Dec 2, 2016
·
17 revisions
- Start off with the example policy provided with
gradm
- Decide what is sensitive and put that into
$grsec_denied
- First create the basic role layout
- Create a
domain
for all regular users - Configure the default role with
/ h
,-CAP_ALL
,connect disabled
&bind disabled
- Create a
- Create a sane (somewhat permissive) default subject for all interactive user roles, so that all the basic command line tools etc. work without having a separate subject
- For system/service roles, try to utilize full system learning generated policies, as they (should) have quite limited and predefined functionality and behavior. These should also have very restrictive default subject.
- Use policy inheritance as much as possible to keep the policy file small and manageable
- Restrict all capabilities by default
- Start fixing the policy by functionality, e.g. fix login, Xorg, audio, networking, cron, suspend, bluetooth, etc...
- Double-check policy tweaks from a separate reference policy created with full system learning
- Use inheritance for those problematic subjects that call stuff from everywhere (
/usr/lib64/pm-utils/bin/pm-action
is one example)
/usr/sbin/tigercron
/usr/bin/rkhunter
/usr/lib64/pm-utils/bin/pm-action
Remove stuff like /lib32
, /libx32
& /lib64/modules
, as they don't exist in Slackware system.
# Role: root
subject /usr/sbin/ntpd o {
/ h
/etc/ntp/drift rwcd
/etc/ntp/drift.TEMP rwcd
-CAP_ALL
+CAP_SYS_TIME
}
# Role: root
subject /bin/#
# Role: users
subject /bin/#
/dev/log rw
bind disabled
connect disabled
# Role: root
subject /sbin/agetty
-CAP_ALL
+CAP_CHOWN
+CAP_FSETID
+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
bind disabled
connect disabled
# Role: root
subject /usr/bin/sudo
# Role: users
subject /usr/bin/sudo