Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel``
rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing
This can enter on grubs promt too.
Default RSBAC with RC module is used this roles:
to run the system.
The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work. Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``. For this you can create a Role ``Init``.
On a binary are always two roles, an initial- and force-role.
The initial-role is used to start a service, for this its need permission to read the necessary configurationfiles.
The force-role is used to run this service, there is usally no reason for permission to read the configurationfiles as example.
However, if a service not chown to other user, the process is running alway with the initial-role. This is surly the case for the init process. So thatswhy this setup firstly.
The ``init`` never change to a force role so no reason to build such one.
Now i start and do this: set a rc-role named ``Init`` as initial-role on ``/sbin/init``.
see setup: RC role for init process
I use from 100 the counts for system. The follow directories get an RC fd type:
The special direcories applies one each boot again:
Examples: Create two new ``rc_type_fd``
rc_set_item TYPE 4 type_fd_name "VarLog_FD" rc_set_item TYPE 5 type_fd_name "VarRun_FD"
Assign this to ``/var/log`` and ``/var/run``.
attr_set_file_dir DIR "/var/log" rc_type_fd 4 attr_set_file_dir DIR "/var/run" rc_type_fd 5
After reboot the system, the logfile print such:
Fri May 1 13:12:47 2009 :<7>0000460885|check_comp_rc(): pid 1 (init), owner 0, rc_role 4, DIR rc_type 0, request SEARCH -> NOT_GRANTED! Fri May 1 13:12:47 2009 :<6>0000460886|rsbac_adf_request(): request SEARCH, pid 1, ppid 0, prog_name init, prog_file /sbin/init, uid 0, target_type DIR, tid Device 00:12 Inode 74 Path /dev, attr none, value none, result NOT_GRANTED (Softmode) by RC
Policy for role ``Init``:
rc_set_item ROLE 4 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CHDIR CLOSE CREATE DELETE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA LINK_HARD MODIFY_ACCESS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN RENAME SEARCH TRUNCATE UMOUNT WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK rc_set_item ROLE 4 type_comp_fd 2 CLOSE DELETE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN rc_set_item ROLE 4 type_comp_dev 0 ADD_TO_KERNEL CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN UMOUNT WRITE WRITE_OPEN IOCTL rc_set_item ROLE 4 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH rc_set_item ROLE 4 type_comp_process 0 CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA SEND_SIGNAL rc_set_item ROLE 4 type_comp_ipc 0 CLOSE CREATE MODIFY_SYSTEM_DATA READ WRITE LISTEN SEND NET_SHUTDOWN rc_set_item ROLE 4 type_comp_scd 0 MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 1 MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 2 MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 6 MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 8 MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 10 SHUTDOWN SWITCH_LOG rc_set_item ROLE 4 type_comp_scd 12 MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 14 MODIFY_ATTRIBUTE MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_scd 15 GET_STATUS_DATA MODIFY_SYSTEM_DATA rc_set_item ROLE 4 type_comp_group 0 READ SEARCH rc_set_item ROLE 4 type_comp_netdev 0 GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND rc_set_item ROLE 4 type_comp_netobj 0 CLOSE CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND LISTEN CONNECT SEND RECEIVE IOCTL rc_set_item ROLE 4 type_comp_fd 7 SEARCH
Need to send data to ``rc_type_fd 10`` which is defined as filecreate from RC role ``Syslog``.
rc_set_item ROLE 4 type_comp_fd 10 CONNECT SEND
Need access to ``rc_type_fd 4`` which assigned to ``/var/log``.
rc_set_item ROLE 4 type_comp_fd 4 APPEND_OPEN CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC LOCK
Need access to ``rc_type_fd 5`` which assigned to ``/var/run``.
rc_set_item ROLE 4 type_comp_fd 5 CHANGE_OWNER CHDIR CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN LOCK
To obtain a rigth of privacy Iam associate the rc-type with rc-role and set the rc-type-fd on users homedirectory.
My System has a security user which has ``uid`` and ``gid`` 400 and its homedirectory is situated on ``/security``.
Security-User
attr_set_file_dir DIR "/security" rc_type_fd 1
This protects for visiting the rootuser this directory. Create a new ``rc_type_group`` for group.
rc_set_item TYPE 1 type_group_name "Security_Group"
Now i apply this ``rc_types`` to RC role 1
rc_set_item ROLE 1 def_fd_create_type 1 rc_set_item ROLE 1 def_fd_ind_create_type 1 1 rc_set_item ROLE 1 def_user_create_type 1 rc_set_item ROLE 1 def_process_create_type 1 rc_set_item ROLE 1 def_process_chown_type 1 rc_set_item ROLE 1 def_process_execute_type 1 rc_set_item ROLE 1 def_ipc_create_type 1 rc_set_item ROLE 1 def_group_create_type 1 rc_set_item ROLE 1 def_unixsock_create_type 1
Root-user
The same Iam doing for the rootuser directory.
attr_set_file_dir DIR "/root" rc_type_fd 2
Extend Policy RC role ``System Admin``: Need access to ``rc_type_fd 5`` which is assigned on ``/var/run``.
rc_set_item ROLE 2 type_comp_fd 5 CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN SEARCH WRITE WRITE_OPEN LOCK
Iam creating a RC role ``Jens`` and ``rc_types``, and assign them to the user with ``uid 1000``.
rc_set_item ROLE 1000 name "Jens" rc_set_item TYPE 1000 type_fd_name "Jens_FD" rc_set_item TYPE 1000 type_fdsd_name "Jens_FDSD" rc_set_item TYPE 1000 type_dev_name "Jens_DEV" rc_set_item TYPE 1000 type_user_name "Jens_USER" rc_set_item TYPE 1000 type_group_name "Jens_GROUP" rc_set_item TYPE 1000 type_process_name "Jens_PROCESS" rc_set_item TYPE 1000 type_ipc_name "Jens_IPC" rc_set_item TYPE 1000 type_netdev_name "Jens_NETDEV" rc_set_item TYPE 1000 type_nettemp_name "Jens_NETTEMP" rc_set_item TYPE 1000 type_netobj_name "Jens_NETOBJ" rc_set_item ROLE 1000 def_fd_create_type 1000 rc_set_item ROLE 1000 def_fd_ind_create_type 1000 1000 rc_set_item ROLE 1000 def_user_create_type 1000 rc_set_item ROLE 1000 def_process_create_type 1000 rc_set_item ROLE 1000 def_process_chown_type 1000 rc_set_item ROLE 1000 def_process_execute_type 1000 rc_set_item ROLE 1000 def_ipc_create_type 1000 rc_set_item ROLE 1000 def_group_create_type 1000 rc_set_item ROLE 1000 def_unixsock_create_type 1000 attr_set_user jens rc_def_role 1000 attr_set_user jens rc_type 1000 attr_set_file_dir DIR "/home/jens" rc_type_fd 1000
Policy for RC role ``Jens``(1000):
rc_set_item ROLE 1000 type_comp_fd 1000 APPEND_OPEN CHDIR CLOSE CREATE DELETE EXECUTE GET_STATUS_DATA MODIFY_ACCESS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC rc_set_item ROLE 1000 type_comp_user 1000 GET_STATUS_DATA SEARCH rc_set_item ROLE 1000 type_comp_ipc 1000 CLOSE CREATE READ WRITE rc_set_item ROLE 1000 type_comp_process 1000 CREATE MODIFY_SYSTEM_DATA rc_set_item ROLE 1000 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN WRITE WRITE_OPEN IOCTL rc_set_item ROLE 1000 type_comp_fd 0 CHDIR CLOSE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA READ READ_OPEN SEARCH WRITE MAP_EXEC LOCK rc_set_item ROLE 1000 type_comp_ipc 0 CLOSE READ rc_set_item ROLE 1000 type_comp_process 0 MODIFY_SYSTEM_DATA
When this user should allow to login on tty also, then Policy for RC role ``Login`` have to extend for for RC role ``Jens``(1000).
rc_set_item ROLE 5 type_comp_user 1000 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER