Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Setting up CAP
Before starting with Linux Capabilities (CAP) module administration, your should read the CAP description.
CAP administration only change min_caps and max_caps attributes of users and files. This can either be done with rsbac_user_menu and rsbac_fd_menu or with the command line tools attr_get_user, attr_set_user, attr_get_file_dir and attr_set_file_dir.
Known Linux Capabilities are (more details in man page capabilities(7)):
| Name | Description |
|---|---|
| CHOWN | Change file owner |
| DAC_OVERRIDE | Full DAC access to all filesystem objects |
| DAC_READ_SEARCH | DAC read access to all filesystem objects |
| FOWNER | Change filesystem object owner |
| FSETID | Override some file owner based restrictions |
| KILL | Send signal to any process |
| SETGID | Set process group |
| SETUID | Set process owner |
| SETPCAP | Change capabilities |
| LINUX_IMMUTABLE | Set immutable flag on filesystem objects |
| NET_BIND_SERVICE | Bind to ports below 1024 |
| NET_BROADCAST | Send network broadcasts |
| NET_ADMIN | Various network admin tasks |
| NET_RAW | Send raw packets |
| IPC_LOCK | Lock memory into RAM |
| IPC_OWNER | Override IPC owner checks |
| SYS_MODULE | Load and remove kernel modules |
| SYS_RAWIO | Make raw IO |
| SYS_CHROOT | Use chroot |
| SYS_PTRACE | Trace any process |
| SYS_PACCT | Access process accounting |
| SYS_ADMIN | Various admin tasks |
| SYS_BOOT | Reboot and halt |
| SYS_NICE | Raise process priority |
| SYS_RESOURCE | Raise resource limits |
| SYS_TIME | Set system clock |
| SYS_TTY_CONFIG | Config ttys |
| MKNOD | Create device special files |
| LEASE | Take leases in files |
| AUDIT_WRITE | Write to kernel audit |
| AUDIT_CONTROL | Control kernel audit |
| SETFCAP | Set per-file capabilities (filesystem dependent) |
| MAC_OVERRIDE | Override some LSM module, if it allows |
| MAC_ADMIN | Admin some LSM module, if it allows |
Example to add a DAC_READ_SEARCH and KILL capabilities for secoff, so that this user can browse the complete filesystem:
attr_set_user CAP secoff min_caps DAC_READ_SEARCH KILL
Table of Contents: RSBAC Handbook
Previous: JAIL
Next: PAX
Alternative: Setting up Modules