run-jail is a python-script. Two files are nessesary to using it.

• run-jail.py
• jail_configparser.py

; example daemon
; date 0.0.0000
; testet by 
""
""
()
()
()
()

The jailconfigurationfile is seperated in 6 categories.

This two "" lines are 
1."" chroot path
2."0.0.0.0" IP addresss

Explanation to point 2.

Is possible to set "auto", "interface", "ip-address" or ""
"auto":
  If auto is set then its looks with /sbin/route for default UG and take this interface
  and from this interface its take the ip-address. 
  When not found a default UG, then its set the ip-address from localhost.
"interface":
  If interface is set, then its set the ip-address from /sbin/ifconfig interface.
"ip-address":
  If ip-address is set, its valid the ip-address and set it. 
  If the ip-address is not associated with an interface, then rsbac-jail throws an exception.
"":
  If "" empty string is given is set it to 0.0.0.0 and this means ignore IP.

This categories () stand for
3.() => jail_flags
4.() => cap_max
5.() => scd GET_STATUS_DATA
6.() => scd MODIFY_SYSTEM_DATA

The values for this categories from points 3-6. are must seperate through a newline!
Example:

 (allow-all-net-family
  allow-external-ipc
  allow-dev-read
  auto-adjust-ip-address)
 
 (allow-all-net-family
  
   allow-external-ipc
  allow-dev-read
  
  auto-adjust-ip-address
 )  
  
 (
  allow-all-net-family
       allow-external-ipc
     allow-dev-read
           auto-adjust-ip-address
 )

Three important necessary preparations should do.

1. Configure the Jail support.
2. Include RSBAC Debug support 1)
3. Enable debugging Jail while runtime 2)

I have placed all configurationfiles under ‘/etc/rsbac/jail/’. I took it from other old adamantix-system.

For simple remebering I do

ln -s /path_to/run-jail.py to /bin/run-jail

To get away this message, this is printed more times, and is not really needed, do:

<6>0000000131|rsbac_adf_request(): request GET_STATUS_DATA, pid 1586, ppid 1585, prog_name start-stop-daem, prog_file /sbin/start-stop-daemon, uid 0, target_type PROCESS, tid 1585, attr none, value none, result NOT_GRANTED by JAIL

 switch_adf_log GET_STATUS_DATA PROCESS 0

  usage: run-jail jail-config-name cmd ...

  run-jail postfix /usr/sbin/postfix start
 
  run-jail pdnsd start-stop-daemon --start --quiet --exec /usr/sbin/pdnsd \
		-- -t -s -d -p /var/run/pdnsd.pid ${PDNSDCONFIG}

pdnsd-jail-config

;
; RSBAC JAIL definition for pdnsd
; 20081407
;
; Tested by:
; Jens Kasten (igraltist) on gentoo
;
 
""
"0.0.0.0"
(allow-dev-read
 allow-dev-write
 allow-inet-raw
 allow-ipc-syslog
 allow-ipc-parent)
(setgid
 setuid
 net-bind-service
 net-raw
 sys-ptrace
 sys-resource)
(sysctl)
(rlimit
 priority)

Restart the service.

/etc/init.d/pdnsd restart
 
This is execute now:
rsbac_jail  -d -D -r -y -P -C  SETGID SETUID NET_BIND_SERVICE NET_RAW SYS_PTRACE SYS_RESOURCE -G  sysctl -M  rlimit priority start-stop-daemon  --start --quiet --exec /usr/sbin/pdnsd -- -t -s -d -p /var/run/pdnsd.pid

As security user do a:

cat /proc/rsbac-info/rmsg

See on jail-explain-message.

This policies are tested and working so far.

• Setup for syslogd
• Setup for cron
• Setup for apache2
• Setup for shorewall
• Setup for cups
• Setup for ntpd
• Setup for vixie-cron
• Setup for syslog-ng
• Setup for pdnsd
• Setup for samba
• Setup for postfix
• Setup for powernowd
• Setup for dmeventd
• Setup for portmap
• Setup for squid
• Setup for ping
• Setup for wget
• Setup for rsync

If you want for example ‘ping’ or ‘wget’ jailed too, then simply do

mkdir /a_bin /a_sbin

and modify the ‘/etc/profile’.

--- profile_org	2008-07-14 06:00:39.000000000 +0200
+++ profile	2008-07-14 06:11:30.000000000 +0200
@@ -22,9 +22,9 @@
 # This way the evaluation can be short-circuited and calling whoami is
 # avoided.
 if [ "$EUID" = "0" ] || [ "$USER" = "root" ] ; then
-	PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
+	PATH="/a_bin:/a_sbin:/usr/local/kvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:${ROOTPATH}"
 else
-	PATH="/usr/local/bin:/usr/bin:/bin:${PATH}"
+	PATH="/a_bin:/usr/local/bin:/usr/bin:/abin:${PATH}"
 fi
 export PATH
 unset ROOTPATH

For updating the Path do:

source /etc/profile

The linux searchpathorder is in ABC order. So when a directory starts with ‘a_’, this will be always the first for look request. I take the example ‘ping’.

Simply create a file ‘/a_bin/jail-wrapper’ with this content.

#!/bin/bash
dir="/a_bin/"
PATH=/bin:/usr/bin:/usr/local/bin
name=$(echo $0 | sed -e 's/\(\/a_bin\/\)\([a-z,A-Z]\+$\)/\2/')
run-jail ${name} ${name} ${@} &

chmod +x /a_bin/jail-wrapper
cd /a_bin
ln -s  jail-wrapper ping

For ‘/a_sbin/jail-wrapper’ do the same procedur but extend the PATH and set dir=”/a_sbin”

PATH=/bin:/sbin:/usr/bin:/usr/sbin/:/usr/local/bin:/usr/local/sbin

Thats all. Now in the directory ‘/etc/rsbac/jail’, have to the ping-jailconfig exists.

When this wrapper should not work anymore then simple undo the ‘/etc/profile’ or move the ‘/a_bin’ to ‘/a_sbin’. Then the original /bin/ping would be executed, without rsbac_jail again.

Top