To make the user management easier I create a subdirectories for admin users and normal users. There are many reasons to do this. One of this is, I will protect the home directories with ACL RC module.

For convention I use this structure:

/home/
           admins/
                       backuper/
                       configer/
                       security/
                       updater/
           users/
                    my_name/

So, update your `/etc/passwd` for your users.

Add a new file in `/etc/profile.d`. Copy & paste it or downloaded from profile.

# used by run-jail 
PATH=/usr/local/jails:$PATH
export PATH
 
# for RC module to display the role name 
rc_role_number=$(rc_get_current_role 2> /dev/null | awk '{ print $5 }')
rc_role=$(rc_get_item ROLE $rc_role_number name 2> /dev/null)
if [ "$role" != "" ]; then 
	export PS1="($role) $PS1"
fi

pass

This is not really necessary but when using `run-jail` to put `ping` or `wget` into a jail is practical. The reason is, when adding the path then the `bash` search firstly in `/usr/local/jails` and if there a symlink with `ping` or any name this would as first executed.

With the script `run-jail-helper` can create such symlink and create or modify a jail policy:

run-jail-helper -h
usage: run-jail-helper [-h] [-m MODIFY] [-c CREATE] [-p PROG_NAME]
 
optional arguments:
  -h, --help            show this help message and exit
  -m MODIFY, --modify MODIFY
                        Modify a jail configuration file.
  -c CREATE, --create CREATE
                        Create a dummy jail configuration file.
  -p PROG_NAME, --prog-name PROG_NAME
                        Create a symlink so that a the progam is execute in
                        RSBAC jail always. The '/etc/profile' have to
                        prepared.

Why the package managment have to modified?

An admin user updater will manage the package managment. The updater-shell script can leave a file with rsbac attributes thats have to execute on the end on every install procedure. Therefor I use the package manager hooks to do this.

This is now different for every distribution. I use gentoo and debian, so I have a way how to plugin in on those systems.

I refer to the home directory setup.

A new file `/etc/portage/bashrc` is needed.

Copy & paste it or download here bashrc.

This is a prototype and could maybe change a bit in the future. I am testing the structure in the moment.

post_pkg_postinst() { 
    rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh"
    rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh"
    einfo  "Applying rsbac attributes:"; 
    # first policy
    if [ -f "${rsbac_attributes_initial}" ]; then
        sh ${rsbac_attributes_initial}
    else
        einfo "No rsbac attribute initial available"
    fi
    # second which found
    if [ -f "${rsbac_attributes}" ]; then
        sh ${rsbac_attributes}
    else
        einfo "No rsbac attribute available"
    fi
}

A new file `/etc/apt/apt.d/80rsbac` is needed.

Copy & paste it or download here 80rsbac.

Not yet tested

DPkg::Post-Invoke { “
    rsbac_attributes_initial="/etc/rsbac/packages/${CATEGORY}/${PN}/${PF}.sh"
    rsbac_attributes="/home/admins/updater/packages/${CATEGORY}/${PN}/${PF}.sh"
    einfo  "Applying rsbac attributes:"; 
    # first policy
    if [ -f "${rsbac_attributes_initial}" ]; then
        sh ${rsbac_attributes_initial}
    else
        echo "No rsbac attribute initial available"
    fi
    # second which found
    if [ -f "${rsbac_attributes}" ]; then
        sh ${rsbac_attributes}
    else
        echo "No rsbac attribute available"
    fi
}

When using nfs4 store to manage the portage tree then some modification have to do.

• Add user updater (uid=410,gid=410) to nfs4 server. This example is when running a debian as portage nfs4 server.

addgroup --gid 410 updater
adduser  --home /srv/nfs4/portage --gid 410 --uid 410 --disabled-password --disabled-login updater

• Add portage tree to exportfs

/srv/nfs4/portage	192.168.0.0/24(rw,sync,insecure,nohide,no_subtree_check,root_squash)

• Add portage tree to fstab

/mnt/portage		/srv/nfs4/portage	none	bind	0	0

• Modifiy file permission on the exported portage tree

cd /srv/nfs4/portage
chown updater:updater -Rv .
find -type d  | xargs chmod 755
find -type f  | xargs chmod 640

When the portage tree mounted via nfs then RSBAC create a directory rsbac.dat.

rsync: readdir("/usr/portage/rsbac.dat"): Operation not permitted (1)
rsync: delete_file: rmdir(rsbac.dat) failed: Operation not permitted (1)

To exclude this edit make.conf and add this line.

PORTAGE_RSYNC_EXTRA_OPTS="--exclude=/rsbac.dat"