For discussion of Alpine Linux development and developer support

1

[alpine-devel] RBAC feature of grsecurity

Natanael Copa
Details
Message ID
<20120123160641.685747db@ncopa-desktop.nor.wtbts.net>
Sender timestamp
1327331201
DKIM signature
missing
Download raw message
Hi,

Does anybody know anyone actually using or have plans to use the RBAC
feature in grsecurity?

I have never used it and wonder if we can disable it in kernel config
and re-enable it if someone asks for it.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
William Pitcock
Details
Message ID
<CA+T2pCGz_i4zm01ZzX6rGvbhgOK7udr8hZyEoQoHtC8Lngrq3g@mail.gmail.com>
In-Reply-To
<20120123160641.685747db@ncopa-desktop.nor.wtbts.net> (view parent)
Sender timestamp
1347905693
DKIM signature
missing
Download raw message
Hello!

Sorry for the long delay in replying to this.  Last year, I attempted
to create infrastructure as part of the gradm2 package to create a
targeted profile for grsecurity, where applications supplied profiles
which would be installed into the main ruleset.  The base policy I
came up with is described here:

http://git.alpinelinux.org/cgit/aports/tree/main/gradm/base.policyd

It used to work pretty well -- you could install the gradm package,
set an admin password and then add it to the init system to put the
system into enforcing mode at boot time.

However, I think that grsecurity's rbac has some problems for
maintainability, namely that all updates to gradm may break the system
policy files, requiring massive changes in the kernel, and older gradm
cannot be used with newer grsecurity kernels.

I think AppArmor, which is also included in the kernel (perhaps with
some patches to integrate it into PaX) is a better solution for what
we want here instead of grsecurity's RBAC.

William

On Mon, Jan 23, 2012 at 9:06 AM, Natanael Copa <ncopa@alpinelinux.org> wrote:
> Hi,
>
> Does anybody know anyone actually using or have plans to use the RBAC
> feature in grsecurity?
>
> I have never used it and wonder if we can disable it in kernel config
> and re-enable it if someone asks for it.
>
> -nc
>
>
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
>


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---