Subjects and Objects

Put in a simple manner, RSBAC restricts the access a subject has on different objects.

The subjects are in fact processes (and associated libraries), acting on the behalf of users. And every process runs as a user.

The objects can be filesystem objects (files, directories, …), network accesses (to ips, ports, …), other users, processes, network devices, special system objects …

To make things possible to manage, RSBAC categorises these objects as in the table shown below.

The objects, in RSBAC, are called Targets.

Type Description
FILE Files, including device special files. Identified by device and inode number.
DIR Directories, identified by device and inode number.
FIFO FIFO special files
DEV Devices, identified by type (char or block), major and minor number
IPC InterProcess Communication: Semaphores (sem), Messages (msg), Shared Memory (shm), Sockets (sock)
SCD System Control Data: Objects affecting the whole system. This target type is the only one with a fixed number of objects, identified by number (see below).
USER Users as objects, mostly for access control information (ACI).
PROCESS Processes as objects.
NETDEV Network Device, identified by name.
NETTEMP Network Template, identified by index number. Access control: access to template itself, RC Administration: access to values/settings for both template and NETOBJ, ACL administration: Default ACLs for NETOBJ
NETOBJ Network Object, identified by internal pointer to struct socket. Attribute values mostly inherited from NETTEMP settings.
NETTEMP_NT ACL administration only, ACL entries for NETTEMP objects themselves.
NONE No object associated with this request. In some models (RC, ACL) this is internally changed into SCD target “other”.
FD (Only in tools for convenience, not a real Target): Let the command line tool decide between types FILE and DIR



System Control Data (SCD) targets subset:

Name Description
time_strucs System timer
clock System time and date
host_id Host name
net_id Domain name
ioports Access Control for direct hardware access
rlimit Setting process ressource limits
swap Control of swapping
syslog System log
rsbac RSBAC data in /proc
rsbaclog RSBAC own log
kmem Direct access to kernel memory via proc or device
other Any other SCD not specified separately, otherwise only internal in RC and ACL: Substitute for target NONE (sysctl administration)
network General networking, like routing, arp etc. (Devices are protected as NETDEV targets!)
firewall Firewall settings, packet filter etc.
priority Set scheduler priority (nice value)
sysfs Administrate through sysfs
rsbac_remote_log Settings for RSBAC remote logging
quota Quota administration
sysctl Administrate through sysctl
nfsd Kernel NFS server administration
ksyms Kernel symbols
mlock Memory locking
capability Change Linux capabilities
kexec kexec restrictions (permits to load a new kernel)
videomem Direct access to video memory via proc or device
auth_administration (only in RC and ACL): AUTH model administration

Appendix: Targets and Requests

Note: the appendix also lists requests, which are explained in the next section of this handbook.



Table of Contents: RSBAC Handbook
Previous: Architecture and Implementation
Next: Requests Types