Back to igraltist's experiences / RC Modules
Only if such setup needed.
To local login only the ``security-user`` and ``root-user`` are allowed.
For local login Iam creating a new RC role ``Login`` and assign this to ``/bin/login``
rc_set_item ROLE 5 name "Login" attr_set_file_dir FILE "/bin/login" rc_initial_role 5 attr_set_file_dir FILE "/bin/login" rc_force_role 4294967295
Policy for RC role ``Login``:
rc_set_item ROLE 5 type_comp_ipc 0 CLOSE CREATE rc_set_item ROLE 5 type_comp_process 0 CREATE GET_STATUS_DATA rc_set_item ROLE 5 type_comp_ipc 0 CLOSE CREATE WRITE rc_set_item ROLE 5 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA MODIFY_PERMISSIONS_DATA IOCTL rc_set_item ROLE 5 type_comp_group 0 READ SEARCH rc_set_item ROLE 5 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK
Policy to allow user to local login:
This is set for ``uid 1 (Security_Admin)`` and ``uid 2 (System_Admin)`` to login on tty.
rc_set_item ROLE 5 type_comp_user 1 CHANGE_OWNER GET_STATUS_DATA SEARCH AUTHENTICATE CHANGE_AUTHED_OWNER rc_set_item ROLE 5 type_comp_user 2 CHANGE_OWNER GET_STATUS_DATA SEARCH AUTHENTICATE CHANGE_AUTHED_OWNER rc_set_item ROLE 5 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER
To login over ssh Iam creating a RC role ``Sshd``.
This role is apply to ``/usr/sbin/sshd`` as initial role and for force role I choose the below.
This allow to switch to other roles. As example it can the RC role 2 for root user.
rc_set_item ROLE 6 name "Sshd" attr_set_file_dir FILE "/usr/sbin/sshd" rc_initial_role 6 attr_set_file_dir FILE "/usr/sbin/sshd" rc_force_role 4294967295
Create a ``rc_type_fd`` and assign this to RC role ``Sshd``
rc_set_item ROLE 6 def_fd_create_type 6 rc_set_item ROLE 6 def_fd_ind_create_type 6 6 rc_set_item ROLE 6 def_unixsock_create_type 6
Assign ``rc_type_fd 6`` to ``/dev/pts``.
attr_set_file_dir DIR "/dev/pts" rc_type_fd 6
Create a ``rc_type_fd`` for the ``/etc/ssh`` configurationfiles and assign it.
rc_set_item TYPE 7 type_fd_name "SshdConfig_FD" attr_set_file_dir DIR "/etc/ssh" rc_type_fd 7
Create a ``nettemplate`` for port 22 on given ip and create RC fd-types for the nettemplate and assign them.
net_temp set_name 4 "Sshd" net_temp set_address_family 4 INET net_temp set_type 4 STREAM # replace the 0.0.0.0 with real ip address net_temp -d set_address 4 0.0.0.0 net_temp set_protocol 4 TCP net_temp set_netdev 4 "eth0" net_temp set_ports 4 22 rc_set_item TYPE 4 type_netdev_name "Sshd" rc_set_item TYPE 4 type_nettemp_name "Sshd" rc_set_item TYPE 4 type_netobj_name "Sshd" attr_set_net NETTEMP rc_type 4 4 attr_set_net NETTEMP rc_type_nt 4 4
Policy for RC role ``Sshd``:
Description:
Need to read datas in ``/usr, /lib, /etc``.
rc_set_item ROLE 6 type_comp_fd 0 CHANGE_OWNER CHDIR CLOSE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH MAP_EXEC
Need to read ``/etc/ssh`` directory
rc_set_item ROLE 6 type_comp_fd 7 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH
Need to write the pidfile ``/var/run/sshd.pid``. Bevor it was set that RC role ``Sshd`` should use ``rc_type_fd 6`` for filecreation and access to ``rc_type_fd 6`` on directroy ``/dev`pts``.
rc_set_item ROLE 6 type_comp_fd 6 CHANGE_OWNER CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_OPEN SEARCH WRITE WRITE_OPEN
Need to access to ``rc_type_fd 4`` which is assigned to ``/var/log``.
rc_set_item ROLE 6 type_comp_fd 4 CLOSE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN LOCK
Need to access to ``rc_type_fd 5`` which is assigned to ``/var/run``.
rc_set_item ROLE 6 type_comp_fd 5 CHDIR CLOSE CREATE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE LOCK
Need to send data to ``/dev/log``. RC role ``Syslog`` has ``rc_type_fd 10`` for filecreation.
rc_set_item ROLE 6 type_comp_fd 10 CONNECT SEND
Extends Policy for RC role ``System Admin``:
rc_set_item ROLE 2 type_comp_fd 6 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH rc_set_item ROLE 2 type_comp_fd 7 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH
To test if its works, login and type,
rc_get_current_role
it's should show the assigned RC role of the user.
Next is to test if the correct filepermission is obtain when create a file in the user homedirectory.
touch create_test ls -la create_test
This should show you the correct filepermission of the logged in user.
You can also look on Testing RC setup for more tests.