=>  Releases

Stable: 1.4.6

  • 3.1.y

Patched kernels
Includes vanilla kernel with the RSBAC patch

  • 3.1.5

Enhanced kernels
Combined patches with RSBAC and PaX, less well tested

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Back to igraltist's experiences /RSBAC RC

RC Module

RC Testsetup

Default RSBAC with RC module is used this roles:

  • Gerneral_User 0
  • Role_Admin 1
  • System_Admin 2
  • Auditor 3

to run the system.

The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work. Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``. For this you can create a Role ``Init``.

Short explanation

On a binary are always two roles, an initial- and force-role.
The initial-role is used to start a service, for this its need permission to read the necessary configurationfiles.
The force-role is used to run this service, there is usally no reason for permission to read the configurationfiles as example.

However, if a service not chown to other user, the process is running alway with the initial-role. This is surly the case for the init process. So thatswhy this setup firstly.

Init

RC role for init process

The ``init`` never change to a force role, so therefor no reason to build such one.

Save this as shell script. 

# init detached BOOT_ROLE 999999 
TYPE=100
ROLE=100
FILE="/sbin/init"
NAME="Init"

# create role
rc_set_item ROLE ${ROLE} name "${NAME}"

# set rc_fd_types
rc_set_item TYPE ${TYPE} type_netdev_name "${NAME}_NETDEV"
rc_set_item TYPE ${TYPE} type_nettemp_name "${NAME}_NETDEV"
rc_set_item TYPE ${TYPE} type_netobj_name "${NAME}_NETOBJ"
rc_set_item TYPE ${TYPE} type_user_name "${NAME}_User"
rc_set_item TYPE ${TYPE} type_group_name "${NAME}_Group"
rc_set_item TYPE ${TYPE} type_ipc_name "${NAME}_IPC"
rc_set_item TYPE ${TYPE} type_process_name "${NAME}_Process"
rc_set_item TYPE ${TYPE} type_fd_name "${NAME}_FD"

rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_execute_type ${TYPE}
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}


# assign init role to file
attr_set_file_dir FILE "${FILE}" rc_initial_role ${ROLE}

Toplevel Directories

Create a RC policy from scratch

Test Setup for using the RC Module.

This setup is now deprecated (25.02.2010)

It can be generated with 

rc_get_item  -v -p htmlprint > rc_03.05.2009.html

A nice overview

Testing RC setup
 

wiki/experiences/igraltist/rc.txt · Last modified: 2012/05/13 08:03 by igraltist
This website is kindly hosted by m-privacy