Back to igraltist's experiences / RC Modules
Create a Role ``Syslog`` and apply it to the syslog binary.
rc_set_item ROLE 10 name "Syslog" attr_set_file_dir FILE "/usr/sbin/syslog-ng" rc_initial_role 10
Create ``rc_type_fd`` and assign it RC role 10.
rc_set_item TYPE 10 type_fd_name "Syslog_FD" rc_set_item ROLE 10 def_fd_create_type 10 rc_set_item ROLE 10 def_fd_ind_create_type 10 10 rc_set_item ROLE 10 def_unixsock_create_type 10
Assign ``rc_type_fd 10`` to ``/var/lib/syslog-ng``.
attr_set_file_dir DIR "/var/lib/syslog-ng" rc_type_fd 10
Policy for Role ``Syslog``:
rc_set_item ROLE 10 type_comp_fd 0 CHANGE_OWNER CLOSE CREATE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH MAP_EXEC rc_set_item ROLE 10 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA READ READ_OPEN WRITE WRITE_OPEN rc_set_item ROLE 10 type_comp_user 0 GET_STATUS_DATA READ SEARCH rc_set_item ROLE 10 type_comp_process 0 CREATE rc_set_item ROLE 10 type_comp_ipc 0 CHANGE_OWNER CLOSE CREATE MODIFY_PERMISSIONS_DATA MODIFY_SYSTEM_DATA WRITE LISTEN RECEIVE rc_set_item ROLE 10 type_comp_group 0 READ SEARCH rc_set_item ROLE 10 type_comp_ipc 2 RECEIVE rc_set_item ROLE 10 type_comp_fd 2 APPEND_OPEN CHANGE_OWNER CLOSE MODIFY_PERMISSIONS_DATA WRITE rc_set_item ROLE 10 type_comp_fd 10 CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN ACCEPT
Need to access on ``rc_type_fd 4`` which is assigned on ``/var/log``.
rc_set_item ROLE 10 type_comp_fd 4 APPEND_OPEN CHANGE_OWNER CLOSE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN
Need to access on ``rc_type_fd 5`` which is assigned on ``/var/run``.
rc_set_item ROLE 10 type_comp_fd 5 CREATE SEARCH
Extend Policy for RC role ``System Admin``:
If cron deamon has no seperate RC role then it need access to CONNECT, RECEIVE.
rc_set_item ROLE 2 type_comp_fd 10 CLOSE DELETE GET_STATUS_DATA READ READ_OPEN CONNECT SEND
My security user has his homedirectory on ``/security``.
Then the logfile is create as ``/security/log/security-log``.
Through set the ``rc_type_fd 1`` on ``/security`` its prevent to root user to watch the rsbac message.
With the bootparam ``rsbac_nosyslog`` its not log the rsbac message to the default syslog file.
The root user also not allow to watch trough the ``/proc/rsbac-info/rmsg``.
When using the rklogd then create two Roles.
rc_set_item ROLE 8 name "Rklogd_Server" rc_set_item ROLE 9 name "Rklogd_Worker"
attr_set_file_dir FILE “/usr/sbin/rklogd” rc_initial_role 8
attr_set_file_dir FILE "/usr/sbin/rklogd" rc_force_role 9
Policy for rklog Roles:
rc_set_item ROLE 8 type_comp_dev 0 CLOSE READ_WRITE_OPEN rc_set_item ROLE 8 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH rc_set_item ROLE 8 type_comp_ipc 0 CLOSE CREATE rc_set_item ROLE 8 type_comp_process 0 CREATE rc_set_item ROLE 8 type_comp_fd 0 CHANGE_OWNER CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN MAP_EXEC LOCK rc_set_item ROLE 8 type_comp_fd 5 CHANGE_OWNER CREATE SEARCH
rc_set_item ROLE 9 type_comp_fd 10 CONNECT SEND rc_set_item ROLE 9 type_comp_fd 0 APPEND_OPEN CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN CONNECT SEND LOCK rc_set_item ROLE 9 type_comp_scd 9 GET_STATUS_DATA rc_set_item ROLE 9 type_comp_dev 0 CLOSE READ_WRITE_OPEN rc_set_item ROLE 9 type_comp_ipc 0 CLOSE CREATE