No events planned
Put in a simple manner, RSBAC restricts the access a subject has on different objects.
The subjects are in fact processes (and associated libraries), acting on the behalf of users. And every process runs as a user.
The objects can be filesystem objects (files, directories, ...), network accesses (to ips, ports, ...), other users, processes, network devices, special system objects ...
To make things possible to manage, RSBAC categorises these objects as in the table shown below.
The objects, in RSBAC, are called Targets.
|FILE||Files, including device special files. Identified by device and inode number.|
|DIR||Directories, identified by device and inode number.|
|FIFO||FIFO special files|
|DEV||Devices, identified by type (char or block), major and minor number|
|IPC||InterProcess Communication: Semaphores (sem), Messages (msg), Shared Memory (shm), Sockets (sock)|
|SCD||System Control Data: Objects affecting the whole system. This target type is the only one with a fixed number of objects, identified by number (see below).|
|USER||Users as objects, mostly for access control information (ACI).|
|PROCESS||Processes as objects.|
|NETDEV||Network Device, identified by name.|
|NETTEMP||Network Template, identified by index number. Access control: access to template itself, RC Administration: access to values/settings for both template and NETOBJ, ACL administration: Default ACLs for NETOBJ|
|NETOBJ||Network Object, identified by internal pointer to struct socket. Attribute values mostly inherited from NETTEMP settings.|
|NETTEMP_NT||ACL administration only, ACL entries for NETTEMP objects themselves.|
|NONE||No object associated with this request. In some models (RC, ACL) this is internally changed into SCD target “other”.|
|FD||(Only in tools for convenience, not a real Target): Let the command line tool decide between types FILE and DIR|
System Control Data (SCD) targets subset:
|clock||System time and date|
|ioports||Access Control for direct hardware access|
|rlimit||Setting process ressource limits|
|swap||Control of swapping|
|rsbac||RSBAC data in /proc|
|rsbaclog||RSBAC own log|
|kmem||Direct access to kernel memory via proc or device|
|other||Any other SCD not specified separately, otherwise only internal in RC and ACL: Substitute for target NONE (sysctl administration)|
|network||General networking, like routing, arp etc. (Devices are protected as NETDEV targets!)|
|firewall||Firewall settings, packet filter etc.|
|priority||Set scheduler priority (nice value)|
|sysfs||Administrate through sysf|
|rsbac_remote_log||Settings for RSBAC remote logging|
|sysctl||Administrate through sysctl|
|nfsd||Kernel NFS server administration|
|capability||Change Linux capabilities|
|auth_administration||(only in RC and ACL): AUTH model administration|
Appendix: Targets and Requests
Note: the appendix also lists requests, which are explained in the next section of this handbook.