Although SELinux and AppArmor get all the attention as the hot new Mandatory Access Control (MAC) infrastructures for Linux and Unix kernels, there is an oft-neglected, battle-scarred oldtimer that has long served well using Role-Based Access Controls (RBAC): grsecurity.
RBAC is similar to MAC but is more flexible and easier to manage. Suppose you’re running a Web server: With grsecurity, you’ll create a role or a number of roles, depending on the complexity of your server, for the various services and processes needed to run the server. Each role will have a set of permissions that ideally will be the minimum necessary, and no more. You’ll have system users and human users, just like in an ordinary Unix system.
However, instead of controlling access with users, groups and file permissions, the users are assigned specific roles. Like SELinux and AppArmor, grsecurity takes away the power of root compromises.
This opens up all kinds of possibilities for delegating and controlling resources. Rather than hassling with permissions and ownership, you can create different roles for different situations (e.g., users who require only a limited set of network clients, such as e-mail and Web browsers, or server administrators restricted to a limited set of services). You can easily assign a junior admin control of an NFS server without giving him keys to the kingdom, and you can just as easily take it away.
grsecurity scales up nicely, as demonstrated by the hosting company Dreamhost, which uses grsecurity to manage shared hosting accounts. It comes with a “learning” tool that builds system policies for you. Visit grsecurity for excellent documentation and help. Kernel Rebuild Guide may also be helpful.
This article was first published on ServerWatch.com.