[[wiki:experiences/igraltist#RC Setup|Back to igraltist's experiences / RC Modules]] ===== Local ===== == Local Login == Only if such setup needed. To local login only the ``security-user`` and ``root-user`` are allowed.\\ For local login Iam creating a new RC role ``Login`` and assign this to ``/bin/login`` rc_set_item ROLE 5 name "Login" attr_set_file_dir FILE "/bin/login" rc_initial_role 5 attr_set_file_dir FILE "/bin/login" rc_force_role 4294967295 Policy for RC role ``Login``: rc_set_item ROLE 5 type_comp_ipc 0 CLOSE CREATE rc_set_item ROLE 5 type_comp_process 0 CREATE GET_STATUS_DATA rc_set_item ROLE 5 type_comp_ipc 0 CLOSE CREATE WRITE rc_set_item ROLE 5 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA MODIFY_PERMISSIONS_DATA IOCTL rc_set_item ROLE 5 type_comp_group 0 READ SEARCH rc_set_item ROLE 5 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK Policy to allow user to local login:\\ This is set for ``uid 1 (Security_Admin)`` and ``uid 2 (System_Admin)`` to login on tty. rc_set_item ROLE 5 type_comp_user 1 CHANGE_OWNER GET_STATUS_DATA SEARCH AUTHENTICATE CHANGE_AUTHED_OWNER rc_set_item ROLE 5 type_comp_user 2 CHANGE_OWNER GET_STATUS_DATA SEARCH AUTHENTICATE CHANGE_AUTHED_OWNER rc_set_item ROLE 5 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER ===== Remote ===== == Remote Login == To login over ssh Iam creating a RC role ``Sshd``.\\ This role is apply to ``/usr/sbin/sshd`` as initial role and for force role I choose the below.\\ This allow to switch to other roles. As example it can the RC role 2 for root user. rc_set_item ROLE 6 name "Sshd" attr_set_file_dir FILE "/usr/sbin/sshd" rc_initial_role 6 attr_set_file_dir FILE "/usr/sbin/sshd" rc_force_role 4294967295 Create a ``rc_type_fd`` and assign this to RC role ``Sshd`` rc_set_item ROLE 6 def_fd_create_type 6 rc_set_item ROLE 6 def_fd_ind_create_type 6 6 rc_set_item ROLE 6 def_unixsock_create_type 6 Assign ``rc_type_fd 6`` to ``/dev/pts``. attr_set_file_dir DIR "/dev/pts" rc_type_fd 6 Create a ``rc_type_fd`` for the ``/etc/ssh`` configurationfiles and assign it. rc_set_item TYPE 7 type_fd_name "SshdConfig_FD" attr_set_file_dir DIR "/etc/ssh" rc_type_fd 7 Create a ``nettemplate`` for port 22 on given ip and create RC fd-types for the nettemplate and assign them. net_temp set_name 4 "Sshd" net_temp set_address_family 4 INET net_temp set_type 4 STREAM # replace the 0.0.0.0 with real ip address net_temp -d set_address 4 0.0.0.0 net_temp set_protocol 4 TCP net_temp set_netdev 4 "eth0" net_temp set_ports 4 22 rc_set_item TYPE 4 type_netdev_name "Sshd" rc_set_item TYPE 4 type_nettemp_name "Sshd" rc_set_item TYPE 4 type_netobj_name "Sshd" attr_set_net NETTEMP rc_type 4 4 attr_set_net NETTEMP rc_type_nt 4 4 Policy for RC role ``Sshd``:\\ Description:\\ Need to read datas in ``/usr, /lib, /etc``. rc_set_item ROLE 6 type_comp_fd 0 CHANGE_OWNER CHDIR CLOSE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH MAP_EXEC Need to read ``/etc/ssh`` directory rc_set_item ROLE 6 type_comp_fd 7 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH Need to write the pidfile ``/var/run/sshd.pid``. Bevor it was set that RC role ``Sshd`` should use ``rc_type_fd 6`` for filecreation and access to ``rc_type_fd 6`` on directroy ``/dev`pts``. rc_set_item ROLE 6 type_comp_fd 6 CHANGE_OWNER CLOSE CREATE DELETE GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_OPEN SEARCH WRITE WRITE_OPEN Need to access to ``rc_type_fd 4`` which is assigned to ``/var/log``. rc_set_item ROLE 6 type_comp_fd 4 CLOSE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE WRITE_OPEN LOCK Need to access to ``rc_type_fd 5`` which is assigned to ``/var/run``. rc_set_item ROLE 6 type_comp_fd 5 CHDIR CLOSE CREATE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH WRITE LOCK Need to send data to ``/dev/log``. RC role ``Syslog`` has ``rc_type_fd 10`` for filecreation. rc_set_item ROLE 6 type_comp_fd 10 CONNECT SEND Extends Policy for RC role ``System Admin``: rc_set_item ROLE 2 type_comp_fd 6 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH rc_set_item ROLE 2 type_comp_fd 7 CLOSE GET_STATUS_DATA READ READ_OPEN SEARCH ===== Test ==== == Test login == To test if its works, login and type, rc_get_current_role it's should show the assigned RC role of the user. Next is to test if the correct filepermission is obtain when create a file in the user homedirectory. touch create_test ls -la create_test This should show you the correct filepermission of the logged in user. You can also look on [[wiki:experiences/igraltist/rc/testing|Testing RC setup]] for more tests.