Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Subjects and Objects
Put in a simple manner, RSBAC restricts the access a subject has on different objects.
The subjects are in fact processes (and associated libraries), acting on the behalf of users. And every process runs as a user.
The objects can be filesystem objects (files, directories, …), network accesses (to ips, ports, …), other users, processes, network devices, special system objects …
To make things possible to manage, RSBAC categorises these objects as in the table shown below.
The objects, in RSBAC, are called Targets.
| Type | Description |
|---|---|
| FILE | Files, including device special files. Identified by device and inode number. |
| DIR | Directories, identified by device and inode number. |
| FIFO | FIFO special files |
| DEV | Devices, identified by type (char or block), major and minor number |
| IPC | InterProcess Communication: Semaphores (sem), Messages (msg), Shared Memory (shm), Sockets (sock) |
| SCD | System Control Data: Objects affecting the whole system. This target type is the only one with a fixed number of objects, identified by number (see below). |
| USER | Users as objects, mostly for access control information (ACI). |
| PROCESS | Processes as objects. |
| NETDEV | Network Device, identified by name. |
| NETTEMP | Network Template, identified by index number. Access control: access to template itself, RC Administration: access to values/settings for both template and NETOBJ, ACL administration: Default ACLs for NETOBJ |
| NETOBJ | Network Object, identified by internal pointer to struct socket. Attribute values mostly inherited from NETTEMP settings. |
| NETTEMP_NT | ACL administration only, ACL entries for NETTEMP objects themselves. |
| NONE | No object associated with this request. In some models (RC, ACL) this is internally changed into SCD target “other”. |
| FD | (Only in tools for convenience, not a real Target): Let the command line tool decide between types FILE and DIR |
System Control Data (SCD) targets subset:
| Name | Description |
|---|---|
| time_strucs | System timer |
| clock | System time and date |
| host_id | Host name |
| net_id | Domain name |
| ioports | Access Control for direct hardware access |
| rlimit | Setting process ressource limits |
| swap | Control of swapping |
| syslog | System log |
| rsbac | RSBAC data in /proc |
| rsbaclog | RSBAC own log |
| kmem | Direct access to kernel memory via proc or device |
| other | Any other SCD not specified separately, otherwise only internal in RC and ACL: Substitute for target NONE (sysctl administration) |
| network | General networking, like routing, arp etc. (Devices are protected as NETDEV targets!) |
| firewall | Firewall settings, packet filter etc. |
| priority | Set scheduler priority (nice value) |
| sysfs | Administrate through sysfs |
| rsbac_remote_log | Settings for RSBAC remote logging |
| quota | Quota administration |
| sysctl | Administrate through sysctl |
| nfsd | Kernel NFS server administration |
| ksyms | Kernel symbols |
| mlock | Memory locking |
| capability | Change Linux capabilities |
| kexec | kexec restrictions (permits to load a new kernel) |
| videomem | Direct access to video memory via proc or device |
| auth_administration | (only in RC and ACL): AUTH model administration |
Appendix: Targets and Requests
Note: the appendix also lists requests, which are explained in the next section of this handbook.
Table of Contents: RSBAC Handbook
Previous: Architecture and Implementation
Next: Requests Types