1

[alpine-devel] grsecurity RBAC for Alpine 2.2

William Pitcock
Details
Message ID
<20110202205941.4c8ce4ff@petrie>
Sender timestamp
1296701981
DKIM signature
missing
Download raw message
hi,

i've been working on setting up RBAC integration for alpine 2.2, which
we can then enable by default in e.g. setup-alpine.

the plan is to have as /etc/grsec/policy:

include_dir /etc/grsec/policy.d

which allows packages to ship grsec policy files
in /etc/grsec/policy.d, e.g. /etc/grsec/policy.d/openssh
and /etc/grsec/policy.d/busybox containing RBAC policy considerations
for those packages.

this will make alpine even more locked down as UID=0 becomes basically
meaningless if the RBAC system is enabled.  in combination with our
other security measures, this should be an entirely overkill solution
for everybody's needs.

in setup-alpine we will do the following:

- prompt if the user wants to enable role-based access control
- if the user says yes, we will create a default admin role and prompt
  for a password and enable the grsec-rbac initscript at boottime.
- if the user says no, then we do nothing...

considerations:

- should we only allow RBAC on server and embedded targets for 2.2?
  (e.g. not on desktop installs; this means setup-desktop disables the
  grsec-rbac initscript for 2.2)

i'm presently working on the initscript and gradm integration, then
i'll put gradm in main.  once i have gradm in main, i'll commit package
updates adding policy bits to the core packages (openssh, udev,
busybox, so on.)

- nenolod


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20110203132254.5f1ebbef@alpinelinux.org>
In-Reply-To
<20110202205941.4c8ce4ff@petrie> (view parent)
Sender timestamp
1296739374
DKIM signature
missing
Download raw message
On Wed, 2 Feb 2011 20:59:41 -0600
William Pitcock <nenolod@dereferenced.org> wrote:

> hi,
> 
> i've been working on setting up RBAC integration for alpine 2.2, which
> we can then enable by default in e.g. setup-alpine.

nice!

> the plan is to have as /etc/grsec/policy:
> 
> include_dir /etc/grsec/policy.d
> 
> which allows packages to ship grsec policy files
> in /etc/grsec/policy.d, e.g. /etc/grsec/policy.d/openssh
> and /etc/grsec/policy.d/busybox containing RBAC policy considerations
> for those packages.
> 
> this will make alpine even more locked down as UID=0 becomes basically
> meaningless if the RBAC system is enabled.  in combination with our
> other security measures, this should be an entirely overkill solution
> for everybody's needs.

cool!

I'm mostly afraid of the maintenance burden for the RBAC rules, but I
like the idea of an extra layer of protection.

> in setup-alpine we will do the following:
> 
> - prompt if the user wants to enable role-based access control
> - if the user says yes, we will create a default admin role and prompt
>   for a password and enable the grsec-rbac initscript at boottime.
> - if the user says no, then we do nothing...
> 
> considerations:
> 
> - should we only allow RBAC on server and embedded targets for 2.2?
>   (e.g. not on desktop installs; this means setup-desktop disables the
>   grsec-rbac initscript for 2.2)

I think RBAC should be disabled by default for desktop but it should be
possible to enable it. I suppose dbus services might cause some
headache.
 
> i'm presently working on the initscript and gradm integration, then
> i'll put gradm in main.  once i have gradm in main, i'll commit
> package updates adding policy bits to the core packages (openssh,
> udev, busybox, so on.)

thanks for working on this.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---