wiki:experiences:igraltist:rc

Back to igraltist's experiences /RSBAC RC

RC Module

Short explanation

Default RSBAC with RC module is using this roles:

Gerneral_User 0
Role_Admin 1
System_Admin 2
Auditor 3

to run the system.

The permission for this roles are predefined. All this roles can be modify. This page show only snippets or some ideas of using the RC module not a whole working setup for a server or desktop.

For a daemon or any script there are always two roles specified.

an initial RC role
a force RC role.

For example the Apache daemon(names can differ) read configuration files as user with UID 0 (root user) and then switch to UID 33 (www-data). This is a good example for using the RC module. We can use two RC roles. The first RC role for reading the configuration files etc. and the the second RC role for serving the content.

RC role for init process

The ``init`` never change to a RC force role so therefore no reason to build such one.

Example:

# init detached BOOT_ROLE 999999 
TYPE=100
ROLE=100
FILE="/sbin/init"
NAME="INIT_F"  # names convention, I use for all RC role upper letters and suffix _F (force role) and _I (initial role)

# create role
rc_set_item ROLE ${ROLE} name "${NAME}"

# set rc_fd_types
rc_set_item TYPE ${TYPE} type_netdev_name "${NAME}_NETDEV"
rc_set_item TYPE ${TYPE} type_nettemp_name "${NAME}_NETDEV"
rc_set_item TYPE ${TYPE} type_netobj_name "${NAME}_NETOBJ"
rc_set_item TYPE ${TYPE} type_user_name "${NAME}_User"
rc_set_item TYPE ${TYPE} type_group_name "${NAME}_Group"
rc_set_item TYPE ${TYPE} type_ipc_name "${NAME}_IPC"
rc_set_item TYPE ${TYPE} type_process_name "${NAME}_Process"
rc_set_item TYPE ${TYPE} type_fd_name "${NAME}_FD"

rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_execute_type ${TYPE}
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}


# assign init role to file
attr_set_file_dir FILE "${FILE}" rc_initial_role ${ROLE}

SSH RC role

The sshd has some special behavior. The daemon only need a RC initial role and apply those to /usr/sbin/sshd and as RC force apply the inherit from user role.

Create a RC policy from scratch

Create a RC policy for apache2

Test Setup for using the RC Module.

This setup is now deprecated (25.02.2010)

RC Module
Setup for login (local and remote examples)
Setup for syslog and rklogd
Setup for webserver (apache2 as exemple)

It can be generated with

rc_get_item  -v -p htmlprint > rc_03.05.2009.html

A nice overview

Testing RC setup

Testing RC setup