search

freedomofpress / ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop
GNU General Public License v2.0
49 stars 13 forks source link

gradm integration #40

Closed ageis closed 7 years ago

ageis commented 8 years ago

The install role or a new, separate role might handle downloading and building gradm, the utility for managing the grsecurity RBAC (role-based access control) system, which allows further system hardening based upon grsecurity.

The package 'gradm2' in Debian, aside from being slightly outdated, does not work with our kernels because it's built to work with /dev/grsec2 instead of the proper /dev/grsec. I think it's meant to be used with the similarly outdated linux-patch-grsecurity2 package.

Packages that are required to build gradm: build-essential, bison and flex. Running make install places some important files in /etc/grsec. We might want to look at how Debian builds their gradm .deb package, update the sources and automate that process so we don't have to always require compilation / running make install.

Or we can talk to the maintainer and get them to fix the issues with gradm2. I've already reached out to them.

conorsch commented 7 years ago

The install role or a new, separate role might handle downloading and building gradm

Out of scope for this repo, but it's a neat idea. Definitely warrants its own role, but internally we're not making use of grsecurity's RBAC yet, so I don't expect it to happen soon.