View previous topic :: View next topic |
Author |
Message |
brendlefly62 Tux's lil' helper
Joined: 19 Dec 2009 Posts: 133
|
Posted: Sat Oct 11, 2014 4:24 pm Post subject: need help with grsecurity (RBAC) configuration |
|
|
I'm having trouble with establishing a workable grsec policy, and I'm looking for help.
To start with context, I've been using hardened-sources with just the kernel enhancements and PaX for several years. I presently have three systems on which I'd like to try to add the RBAC ACL support that grsecurity allows you to manage with gradm. (1) router/firewall/dns/wins server (2) XEN server [with dom0 configured as an xorg kde desktop], and (3) XEN guest [with domU minimally configured, intented to be deployable image for headless ___-server].
In each of these, I've been through a few cycles of learning mode, but I seem to always end up doing some sort of denial of service to myself.
I find it to be a pain in the butt to determine that the policy resulting from my use of Full Learning mode always needs to have a couple of its roles tweaked... but to enable learning on those modes, you have to delete all subjects registered under the role... and I'm no where near comfortable with trying to do "subject level" learning rather than role-level... wouldn't know exactly how to identify the subjects in the first place... just like I don't know how to identify what roles might be missing altogether...
... and then when I have the new learning file/roles generated, I have to cut/paste to get them into the policy...
... and then, to get the new policy running, I have to go through several iterations of "gradm -C" and edit the policy to correct mis-matched permissions on symlink/target pairs, or edit the ownership of mismatched symlink/target pairs...
... and the network "allow_ip" and "connect" entries appear to only pick up the specific interactions with clients that occur during the learning session, and I need to edit those entries to make them general enough to accept connections from other clients in my supported subnets...
is there a simpler way to do this, that I've just missed? |
|
Back to top |
|
|
miroR l33t
Joined: 05 Mar 2008 Posts: 826
|
Posted: Wed Oct 15, 2014 2:57 pm Post subject: |
|
|
dear fellow in FOSS Linux.
But I'm not an expert.
However, I'll be (re)doing it myself, the RBAC configuration, and maybe we get better help together.
Hard to tell much without the emerge --info, even though I have been using, and successfully reporting to forums.grsecurity.net about Grsecurity and its battles against, arguably, spyware in my systems.
Generally, its:
https://en.wikibooks.org/wiki/Grsecurity
and the Grsec forums... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|