Table of Contents

Selecting a Security Model Combination

Note: Please see the Security Modules page for more information about the different modules and the model they provide

Let's start by reviewing the module table

In the following table, you can find a summary of every available module.

The Code Name is the name RSBAC uses to identify that module.

The Use column helps out if you are not sure of what modules to use:

The Short description column links to a description of the module in the current page.

The In depth description column links to a section completely dedicated to this module, explaining the functionality and usage in details.

Module NameCode nameUseShort descriptionIn depth description
Authenticated UserAUTHAlwaysAuthenticate UsersYes
Role CompatibilityRCLikelyRole based access controlYes
JailJAILLikelyEncapsulation of individual processesYes
Linux CapacitiesCAPLikelyManages Linux CapacitiesYes
PageexecPAXLikelyPrevention against unwanted code executionNo
DazukoDAZOptionalOn-access anti-virus scannerYes
User Space Decision Facility (from 1.4.8)UDFOptionalUser space decisions, e.g. malware scanningNo
File FlagsFFOptionalSet special access control flags per file/dirYes
Linux ResourcesRESOptionalManages Linux ResourcesNo
User ManagementUMOptionalManage system Users in kernelYes
Access Control ListsACLOptionalExtensive Access Control ListsYes
Privacy Model (removed in 1.4.8)PMOptionalControls data privacy in conformance to EU lawsNo
Mandatory Access ControlMACUnlikelyMulti Layer Access ControlYes

Selecting the modules You need

Alright, the above table pretty much sums up what modules are offered to you, what they do, and how likely it is that you want to use them. Quite a few of them are very case specific however. When you know them all in details, you will be able to choose by yourself what fits your requirements.

To get your started, here are a few safe combinations that are commonly used:


Note: the modules in brackets are left to your consideration. Enabling them won't make things harder.

Standard serverAUTH,RC,JAIL,CAP,[RES]
Standard desktopAUTH,RC,JAIL,[CAP]
Minimum desktopAUTH,FF,JAIL,[CAP]


The Minimum desktop set is the easiest to deal with. You will only have to setup AUTH (means, what application can switch to what user id) to have a usable system. You can then experiment with FF, to set attributes to directories paths, and with JAIL, by Jailing for example your web browser and mail client.

The Standard desktop raises the level, with RC. You will have to understand this model and set it system-wide before your system becomes usable. However, this is far more powerful and after a while, it will be easier for you to secure your system using RC than with FF or ACL modules. Like with the minimum desktop, you can jail your web browser or other sensitive applications with the JAIL module.

Finally, the standard server comes with a similar setup. Jail your services, setup RC system wide, and you may want to add a few more modules, like DAZ for the virus scanning, RES to control system resources etc.

In every case, make sure that you understand every module you are using. Test them (you can use the Live CD to do this without destroying your system), until you feel comfortable with them.



Table of Contents: RSBAC Handbook
Previous: Logging
Next: selecting_models