Table of Contents

Back to igraltist's experiences / RC Modules

Local

Local Login

Only if such setup needed.

To local login only the ``security-user`` and ``root-user`` are allowed.
For local login Iam creating a new RC role ``Login`` and assign this to ``/bin/login``

rc_set_item ROLE 5 name "Login"
attr_set_file_dir FILE "/bin/login" rc_initial_role 5
attr_set_file_dir FILE "/bin/login" rc_force_role 4294967295

Policy for RC role ``Login``:

rc_set_item ROLE 5 type_comp_ipc 0 CLOSE CREATE
rc_set_item ROLE 5 type_comp_process 0 CREATE GET_STATUS_DATA
rc_set_item ROLE 5 type_comp_ipc 0 CLOSE CREATE WRITE
rc_set_item ROLE 5 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA MODIFY_PERMISSIONS_DATA IOCTL
rc_set_item ROLE 5 type_comp_group 0 READ SEARCH
rc_set_item ROLE 5 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK

Policy to allow user to local login:
This is set for ``uid 1 (Security_Admin)`` and ``uid 2 (System_Admin)`` to login on tty.

rc_set_item ROLE 5 type_comp_user 1 CHANGE_OWNER GET_STATUS_DATA SEARCH AUTHENTICATE CHANGE_AUTHED_OWNER
rc_set_item ROLE 5 type_comp_user 2 CHANGE_OWNER GET_STATUS_DATA SEARCH AUTHENTICATE CHANGE_AUTHED_OWNER
rc_set_item ROLE 5 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER

Remote

Remote Login

To login over ssh Iam creating a RC role ``Sshd``.
This role is apply to ``/usr/sbin/sshd`` as initial role and for force role I choose the below.
This allow to switch to other roles. As example it can the RC role 2 for root user.

rc_set_item ROLE 6 name "Sshd"
attr_set_file_dir FILE "/usr/sbin/sshd" rc_initial_role 6
attr_set_file_dir FILE "/usr/sbin/sshd" rc_force_role 4294967295

Create a ``rc_type_fd`` and assign this to RC role ``Sshd``

rc_set_item ROLE 6 def_fd_create_type 6
rc_set_item ROLE 6 def_fd_ind_create_type 6 6
rc_set_item ROLE 6 def_unixsock_create_type 6

Assign ``rc_type_fd 6`` to ``/dev/pts``.

attr_set_file_dir DIR "/dev/pts" rc_type_fd 6

Create a ``rc_type_fd`` for the ``/etc/ssh`` configurationfiles and assign it.

rc_set_item TYPE 7 type_fd_name "SshdConfig_FD"
attr_set_file_dir DIR "/etc/ssh" rc_type_fd 7

Create a ``nettemplate`` for port 22 on given ip and create RC fd-types for the nettemplate and assign them.

net_temp set_name 4 "Sshd"
net_temp set_address_family 4 INET
net_temp set_type 4 STREAM
# replace the 0.0.0.0 with real ip address
net_temp -d set_address 4 0.0.0.0   
net_temp set_protocol 4 TCP
net_temp set_netdev 4 "eth0"
net_temp set_ports 4 22
rc_set_item TYPE 4 type_netdev_name "Sshd"
rc_set_item TYPE 4 type_nettemp_name "Sshd"
rc_set_item TYPE 4 type_netobj_name "Sshd"
attr_set_net NETTEMP rc_type 4 4
attr_set_net NETTEMP rc_type_nt 4 4

Policy for RC role ``Sshd``:
Description:
Need to read datas in ``/usr, /lib, /etc``.

rc_set_item ROLE 6 type_comp_fd 0 CHANGE_OWNER CHDIR CLOSE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH MAP_EXEC

Need to read ``/etc/ssh`` directory

rc_set_item ROLE 6 type_comp_fd 7 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH

Need to write the pidfile ``/var/run/sshd.pid``. Bevor it was set that RC role ``Sshd`` should use ``rc_type_fd 6`` for filecreation and access to ``rc_type_fd 6`` on directroy ``/dev`pts``.

rc_set_item ROLE 6 type_comp_fd 6 CHANGE_OWNER CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_OPEN SEARCH WRITE WRITE_OPEN

Need to access to ``rc_type_fd 4`` which is assigned to ``/var/log``.

rc_set_item ROLE 6 type_comp_fd 4 CLOSE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN LOCK

Need to access to ``rc_type_fd 5`` which is assigned to ``/var/run``.

rc_set_item ROLE 6 type_comp_fd 5 CHDIR CLOSE CREATE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE LOCK

Need to send data to ``/dev/log``. RC role ``Syslog`` has ``rc_type_fd 10`` for filecreation.

rc_set_item ROLE 6 type_comp_fd 10 CONNECT SEND

Extends Policy for RC role ``System Admin``:

rc_set_item ROLE 2 type_comp_fd 6 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH
rc_set_item ROLE 2 type_comp_fd 7 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH

Test

Test login

To test if its works, login and type,

rc_get_current_role

it's should show the assigned RC role of the user.

Next is to test if the correct filepermission is obtain when create a file in the user homedirectory.

touch create_test
ls -la create_test

This should show you the correct filepermission of the logged in user.

You can also look on Testing RC setup for more tests.