X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 9B4F5DC37B1 for ; Mon, 17 Sep 2012 18:14:53 +0000 (UTC) Received: by vcbfw7 with SMTP id fw7so9913651vcb.13 for ; Mon, 17 Sep 2012 11:14:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=tfZv/IhPK+tUFnflVJuiMo0BcVnlBg/IGzX2lUK6KUk=; b=Cb+pe3Wf8tsmWBKDQIw/pBQBFeXTyPzyQiAyUk4qtX791rKbfmGD3uyt6WbgoW131f dwgI5GSBBUaVZu5cFX7oZAdkPpH1qhINKdYjM+BAdo0tfXL9U3HTlTrsHrHmIY7A2D37 6k5HOrWZcax7s1eSt+IHr+iQJB0RaDQuMhh260yp3dzbBaemPVNwnPAtzd30S/QdL1eF tKS/0dFfy3UZtldgZ9nPlAWW4bec5dzrJh4Ahb3WTMbcecnytTgvYdsT7y7NAQx3KAtJ qusaEWRCWuKSVp7giDhejJYa2OjkbslBraNIJt54YNo46DV4yBcrI9q/7JKmPRn/4iZJ PQvA== X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.52.174.232 with SMTP id bv8mr3892488vdc.13.1347905693294; Mon, 17 Sep 2012 11:14:53 -0700 (PDT) Received: by 10.220.60.74 with HTTP; Mon, 17 Sep 2012 11:14:53 -0700 (PDT) In-Reply-To: <20120123160641.685747db@ncopa-desktop.nor.wtbts.net> References: <20120123160641.685747db@ncopa-desktop.nor.wtbts.net> Date: Mon, 17 Sep 2012 13:14:53 -0500 Message-ID: Subject: Re: [alpine-devel] RBAC feature of grsecurity From: William Pitcock To: Natanael Copa Cc: alpine-devel@lists.alpinelinux.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQm1+d59i8zKFkmFyr63hBWpsRmqsgdqByNEP/Lqfm7RDO8Bh7B+YACpmyWEUuNArl4ZY5jR Hello! Sorry for the long delay in replying to this. Last year, I attempted to create infrastructure as part of the gradm2 package to create a targeted profile for grsecurity, where applications supplied profiles which would be installed into the main ruleset. The base policy I came up with is described here: http://git.alpinelinux.org/cgit/aports/tree/main/gradm/base.policyd It used to work pretty well -- you could install the gradm package, set an admin password and then add it to the init system to put the system into enforcing mode at boot time. However, I think that grsecurity's rbac has some problems for maintainability, namely that all updates to gradm may break the system policy files, requiring massive changes in the kernel, and older gradm cannot be used with newer grsecurity kernels. I think AppArmor, which is also included in the kernel (perhaps with some patches to integrate it into PaX) is a better solution for what we want here instead of grsecurity's RBAC. William On Mon, Jan 23, 2012 at 9:06 AM, Natanael Copa wrote: > Hi, > > Does anybody know anyone actually using or have plans to use the RBAC > feature in grsecurity? > > I have never used it and wonder if we can disable it in kernel config > and re-enable it if someone asks for it. > > -nc > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---