Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
need help with grsecurity (RBAC) configuration
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
brendlefly62
Tux's lil' helper
Tux's lil' helper


Joined: 19 Dec 2009
Posts: 95

PostPosted: Sat Oct 11, 2014 4:24 pm    Post subject: need help with grsecurity (RBAC) configuration Reply with quote

I'm having trouble with establishing a workable grsec policy, and I'm looking for help.

To start with context, I've been using hardened-sources with just the kernel enhancements and PaX for several years. I presently have three systems on which I'd like to try to add the RBAC ACL support that grsecurity allows you to manage with gradm. (1) router/firewall/dns/wins server (2) XEN server [with dom0 configured as an xorg kde desktop], and (3) XEN guest [with domU minimally configured, intented to be deployable image for headless ___-server].

In each of these, I've been through a few cycles of learning mode, but I seem to always end up doing some sort of denial of service to myself.

I find it to be a pain in the butt to determine that the policy resulting from my use of Full Learning mode always needs to have a couple of its roles tweaked... but to enable learning on those modes, you have to delete all subjects registered under the role... and I'm no where near comfortable with trying to do "subject level" learning rather than role-level... wouldn't know exactly how to identify the subjects in the first place... just like I don't know how to identify what roles might be missing altogether...

... and then when I have the new learning file/roles generated, I have to cut/paste to get them into the policy...

... and then, to get the new policy running, I have to go through several iterations of "gradm -C" and edit the policy to correct mis-matched permissions on symlink/target pairs, or edit the ownership of mismatched symlink/target pairs...

... and the network "allow_ip" and "connect" entries appear to only pick up the specific interactions with clients that occur during the learning session, and I need to edit those entries to make them general enough to accept connections from other clients in my supported subnets...

is there a simpler way to do this, that I've just missed?
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed Oct 15, 2014 2:57 pm    Post subject: Reply with quote

Code:

emerge --info

dear fellow in FOSS Linux.
But I'm not an expert.
However, I'll be (re)doing it myself, the RBAC configuration, and maybe we get better help together.
Hard to tell much without the emerge --info, even though I have been using, and successfully reporting to forums.grsecurity.net about Grsecurity and its battles against, arguably, spyware in my systems.
Generally, its:
https://en.wikibooks.org/wiki/Grsecurity
and the Grsec forums...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum