A few notes I wrote down about enabling the (very intense) grsecuriy RBAC system on micro.
- If you have role_allow_ip defined and you try and “do something” from an IP not in that allowed list – you’ll end up in the default role. That can be hard to figure out at first, you know you have a role setup for the user, but you’re not ending up in it. That’s why.
- A subject in a less specific policy with an “i” will override a more specific subject.i.e.This “/” subject:subject / o { /bin rxi}will win over this:subject /bin/bash o {}/bin/bash will use the polices from the first subject, not the second.
- To be able to unlink (delete!) a file, you need both d and the w subject flags. d alone isn’t enough.
- Be VERY careful with the C subject flag. It will kill everything with the same IP address, silently. Your MYSQL server might be dead and you won’t know it.
- Shared Libraries (.so) need the rx flag, x alone isn’t enough.
subject /bin/bash {/ /lib rx }
- The -V flag to gradm -E will give some useful information!