wiki:experiences:igraltist:rc_old
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

RC Module

RC Testsetup

Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel``

rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing 

This can enter on grubs promt too.

Default RSBAC with RC module is used this roles:

  • Gerneral_User 0
  • Role_Admin 1
  • System_Admin 2
  • Auditor 3

to run the system.

The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work. Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``. For this you can create a Role ``Init``.

Short explanation

On a binary are always two roles, an initial- and force-role.
The initial-role is used to start a service, for this its need permission to read the necessary configurationfiles.
The force-role is used to run this service, there is usally no reason for permission to read the configurationfiles as example.

However, if a service not chown to other user, the process is running alway with the initial-role. This is surly the case for the init process. So thatswhy this setup firstly.

Init

RC role on init (optional but nice to have)

The ``init`` never change to a force role so no reason to build such one.

Now i start and do this: set a rc-role named ``Init`` as initial-role on ``/sbin/init``.

see setup: RC role for init process

I use from 100 the counts for system. The follow directories get an RC fd type:

  • /bin
  • /boot
  • /etc
  • /dev
  • /lib
  • /home
  • /sbin
  • /mnt
  • /opt
  • /usr
  • /var
  • /var/log
  • /var/run

The special direcories applies one each boot again:

  • /proc
  • /sys

Examples: Create two new ``rc_type_fd``

rc_set_item TYPE 4 type_fd_name "VarLog_FD"
rc_set_item TYPE 5 type_fd_name "VarRun_FD"  

Assign this to ``/var/log`` and ``/var/run``.

attr_set_file_dir DIR "/var/log" rc_type_fd 4
attr_set_file_dir DIR "/var/run" rc_type_fd 5

After reboot the system, the logfile print such:

Fri May  1 13:12:47 2009 :<7>0000460885|check_comp_rc(): pid 1 (init), owner 0, rc_role 4, DIR rc_type 0, request SEARCH -> NOT_GRANTED!
Fri May  1 13:12:47 2009 :<6>0000460886|rsbac_adf_request(): request SEARCH, pid 1, ppid 0, prog_name init, prog_file /sbin/init, uid 0, target_type DIR, tid Device 00:12 Inode 74 Path /dev, attr none, value none, result NOT_GRANTED (Softmode) by RC

Policy for role ``Init``:

rc_set_item ROLE 4 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CHDIR CLOSE CREATE DELETE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA LINK_HARD MODIFY_ACCESS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN RENAME SEARCH TRUNCATE UMOUNT WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK
rc_set_item ROLE 4 type_comp_fd 2 CLOSE DELETE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN
rc_set_item ROLE 4 type_comp_dev 0 ADD_TO_KERNEL CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN UMOUNT WRITE WRITE_OPEN IOCTL
rc_set_item ROLE 4 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH
rc_set_item ROLE 4 type_comp_process 0 CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA SEND_SIGNAL
rc_set_item ROLE 4 type_comp_ipc 0 CLOSE CREATE MODIFY_SYSTEM_DATA READ WRITE LISTEN SEND NET_SHUTDOWN
rc_set_item ROLE 4 type_comp_scd 0 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 1 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 2 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 6 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 8 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 10 SHUTDOWN SWITCH_LOG
rc_set_item ROLE 4 type_comp_scd 12 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 14 MODIFY_ATTRIBUTE MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 15 GET_STATUS_DATA MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_group 0 READ SEARCH
rc_set_item ROLE 4 type_comp_netdev 0 GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND
rc_set_item ROLE 4 type_comp_netobj 0 CLOSE CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND LISTEN CONNECT SEND RECEIVE IOCTL
rc_set_item ROLE 4 type_comp_fd 7 SEARCH

Need to send data to ``rc_type_fd 10`` which is defined as filecreate from RC role ``Syslog``.

rc_set_item ROLE 4 type_comp_fd 10 CONNECT SEND

Need access to ``rc_type_fd 4`` which assigned to ``/var/log``.

rc_set_item ROLE 4 type_comp_fd 4 APPEND_OPEN CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC LOCK

Need access to ``rc_type_fd 5`` which assigned to ``/var/run``.

rc_set_item ROLE 4 type_comp_fd 5 CHANGE_OWNER CHDIR CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN LOCK

Private Homedirectories

Setup RC fd-types

To obtain a rigth of privacy Iam associate the rc-type with rc-role and set the rc-type-fd on users homedirectory.

My System has a security user which has ``uid`` and ``gid`` 400 and its homedirectory is situated on ``/security``.

Security-User

attr_set_file_dir DIR "/security" rc_type_fd 1

This protects for visiting the rootuser this directory. Create a new ``rc_type_group`` for group.

rc_set_item TYPE 1 type_group_name "Security_Group"

Now i apply this ``rc_types`` to RC role 1

rc_set_item ROLE 1 def_fd_create_type 1
rc_set_item ROLE 1 def_fd_ind_create_type 1 1
rc_set_item ROLE 1 def_user_create_type 1
rc_set_item ROLE 1 def_process_create_type 1
rc_set_item ROLE 1 def_process_chown_type 1
rc_set_item ROLE 1 def_process_execute_type 1
rc_set_item ROLE 1 def_ipc_create_type 1
rc_set_item ROLE 1 def_group_create_type 1
rc_set_item ROLE 1 def_unixsock_create_type 1

Root-user

The same Iam doing for the rootuser directory.

attr_set_file_dir DIR "/root" rc_type_fd 2

Extend Policy RC role ``System Admin``: Need access to ``rc_type_fd 5`` which is assigned on ``/var/run``.

rc_set_item ROLE 2 type_comp_fd 5 CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN SEARCH WRITE WRITE_OPEN LOCK

Example for an unprileged user

User with uid 1000

Iam creating a RC role ``Jens`` and ``rc_types``, and assign them to the user with ``uid 1000``.

rc_set_item ROLE 1000 name "Jens"
rc_set_item TYPE 1000 type_fd_name "Jens_FD"
rc_set_item TYPE 1000 type_fdsd_name "Jens_FDSD"
rc_set_item TYPE 1000 type_dev_name "Jens_DEV"
rc_set_item TYPE 1000 type_user_name "Jens_USER"
rc_set_item TYPE 1000 type_group_name "Jens_GROUP"
rc_set_item TYPE 1000 type_process_name "Jens_PROCESS"
rc_set_item TYPE 1000 type_ipc_name "Jens_IPC"
rc_set_item TYPE 1000 type_netdev_name "Jens_NETDEV"
rc_set_item TYPE 1000 type_nettemp_name "Jens_NETTEMP"
rc_set_item TYPE 1000 type_netobj_name "Jens_NETOBJ"  
rc_set_item ROLE 1000 def_fd_create_type 1000
rc_set_item ROLE 1000 def_fd_ind_create_type 1000 1000
rc_set_item ROLE 1000 def_user_create_type 1000
rc_set_item ROLE 1000 def_process_create_type 1000
rc_set_item ROLE 1000 def_process_chown_type 1000
rc_set_item ROLE 1000 def_process_execute_type 1000
rc_set_item ROLE 1000 def_ipc_create_type 1000
rc_set_item ROLE 1000 def_group_create_type 1000
rc_set_item ROLE 1000 def_unixsock_create_type 1000
attr_set_user jens rc_def_role 1000
attr_set_user jens rc_type 1000
attr_set_file_dir DIR "/home/jens" rc_type_fd 1000

Policy for RC role ``Jens``(1000):

rc_set_item ROLE 1000 type_comp_fd 1000 APPEND_OPEN CHDIR CLOSE CREATE DELETE EXECUTE GET_STATUS_DATA MODIFY_ACCESS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC
rc_set_item ROLE 1000 type_comp_user 1000 GET_STATUS_DATA SEARCH
rc_set_item ROLE 1000 type_comp_ipc 1000 CLOSE CREATE READ WRITE
rc_set_item ROLE 1000 type_comp_process 1000 CREATE MODIFY_SYSTEM_DATA
rc_set_item ROLE 1000 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN WRITE WRITE_OPEN IOCTL
rc_set_item ROLE 1000 type_comp_fd 0 CHDIR CLOSE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA READ READ_OPEN SEARCH WRITE MAP_EXEC LOCK
rc_set_item ROLE 1000 type_comp_ipc 0 CLOSE READ
rc_set_item ROLE 1000 type_comp_process 0 MODIFY_SYSTEM_DATA

When this user should allow to login on tty also, then Policy for RC role ``Login`` have to extend for for RC role ``Jens``(1000).

rc_set_item ROLE 5 type_comp_user 1000 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER
//
wiki/experiences/igraltist/rc_old.txt · Last modified: 2011/09/11 17:57 by 127.0.0.1

wiki/experiences/igraltist/rc_old.txt · Last modified: 2011/09/11 17:57 by 127.0.0.1
This website is kindly hosted by m-privacy