X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@lists.alpinelinux.org Received: from mail.wtbts.no (mail.wtbts.no [213.234.126.131]) by lists.alpinelinux.org (Postfix) with ESMTP id 848A61EBFF5 for ; Thu, 3 Feb 2011 13:23:08 +0000 (UTC) Received: from localhost (bsna.nor.wtbts.net [127.0.0.1]) by mail.wtbts.no (Postfix) with ESMTP id B356BAE4002; Thu, 3 Feb 2011 13:23:06 +0000 (UTC) X-Virus-Scanned: Yes Received: from mail.wtbts.no ([127.0.0.1]) by localhost (bsna.nor.wtbts.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urq46NL3HYMZ; Thu, 3 Feb 2011 13:23:03 +0000 (UTC) Received: from mail.ytre.org (extmail.nor.wtbts.net [10.65.72.14]) by mail.wtbts.no (Postfix) with ESMTP id EFC59AE4001; Thu, 3 Feb 2011 13:23:02 +0000 (UTC) Received: from mail.ytre.org (localhost [127.0.0.1]) by mail.ytre.org (Postfix) with ESMTP id B36FA620ADE42; Thu, 3 Feb 2011 13:23:02 +0000 (UTC) Received: from localhost (unknown [187.40.249.252]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ncopa@ytre.org) by mail.ytre.org (Postfix) with ESMTPSA id 1431D620ADE40; Thu, 3 Feb 2011 13:22:59 +0000 (UTC) Date: Thu, 3 Feb 2011 13:22:54 +0000 From: Natanael Copa To: William Pitcock Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] grsecurity RBAC for Alpine 2.2 Message-ID: <20110203132254.5f1ebbef@alpinelinux.org> In-Reply-To: <20110202205941.4c8ce4ff@petrie> References: <20110202205941.4c8ce4ff@petrie> X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; i686-pc-linux-gnu) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP On Wed, 2 Feb 2011 20:59:41 -0600 William Pitcock wrote: > hi, > > i've been working on setting up RBAC integration for alpine 2.2, which > we can then enable by default in e.g. setup-alpine. nice! > the plan is to have as /etc/grsec/policy: > > include_dir /etc/grsec/policy.d > > which allows packages to ship grsec policy files > in /etc/grsec/policy.d, e.g. /etc/grsec/policy.d/openssh > and /etc/grsec/policy.d/busybox containing RBAC policy considerations > for those packages. > > this will make alpine even more locked down as UID=0 becomes basically > meaningless if the RBAC system is enabled. in combination with our > other security measures, this should be an entirely overkill solution > for everybody's needs. cool! I'm mostly afraid of the maintenance burden for the RBAC rules, but I like the idea of an extra layer of protection. > in setup-alpine we will do the following: > > - prompt if the user wants to enable role-based access control > - if the user says yes, we will create a default admin role and prompt > for a password and enable the grsec-rbac initscript at boottime. > - if the user says no, then we do nothing... > > considerations: > > - should we only allow RBAC on server and embedded targets for 2.2? > (e.g. not on desktop installs; this means setup-desktop disables the > grsec-rbac initscript for 2.2) I think RBAC should be disabled by default for desktop but it should be possible to enable it. I suppose dbus services might cause some headache. > i'm presently working on the initscript and gradm integration, then > i'll put gradm in main. once i have gradm in main, i'll commit > package updates adding policy bits to the core packages (openssh, > udev, busybox, so on.) thanks for working on this. -nc --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---