===== RC Module ======
== RC Testsetup ==
Prepare the System to get more verbose description what is missing on RC you should set this debug options.
Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel``
  rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing 
This can enter on grubs promt too.

Default RSBAC with RC module is used this roles: 
  *Gerneral_User 0 
  *Role_Admin 1
  *System_Admin 2
  *Auditor 3
to run the system.


The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work.
Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``.
For this you can create a Role ``Init``.

== Short explanation ==
On a binary are always two roles, an initial- and force-role.\\
The initial-role is used to start a service, for this its need permission to read the necessary configurationfiles.\\
The force-role is used to run this service, there is usally no reason for permission to read the configurationfiles as example.

However, if a service not chown to other user, the process is running alway with the initial-role.
This is surly the case for the init process.
So thatswhy this setup firstly.







===== Init =====
== RC role on init (optional but nice to have) ==

The ``init`` never change to a force role so no reason to build such one.

Now i start and do this:
set a rc-role named ``Init`` as initial-role on ``/sbin/init``.

see setup:
[[rc#rc_role_for_init_process|RC role for init process]]

I use from 100 the counts for system.
The follow directories get an RC fd type:
  * /bin
  * /boot
  * /etc
  * /dev
  * /lib
  * /home
  * /sbin
  * /mnt
  * /opt
  * /usr
  * /var
  * /var/log
  * /var/run

The special direcories applies one each boot again: 
  * /proc
  * /sys

Examples:
Create two new ``rc_type_fd``
  rc_set_item TYPE 4 type_fd_name "VarLog_FD"
  rc_set_item TYPE 5 type_fd_name "VarRun_FD"  
Assign this to ``/var/log`` and ``/var/run``.
  attr_set_file_dir DIR "/var/log" rc_type_fd 4
  attr_set_file_dir DIR "/var/run" rc_type_fd 5


After reboot the system, the logfile print such:

  Fri May  1 13:12:47 2009 :<7>0000460885|check_comp_rc(): pid 1 (init), owner 0, rc_role 4, DIR rc_type 0, request SEARCH -> NOT_GRANTED!
  Fri May  1 13:12:47 2009 :<6>0000460886|rsbac_adf_request(): request SEARCH, pid 1, ppid 0, prog_name init, prog_file /sbin/init, uid 0, target_type DIR, tid Device 00:12 Inode 74 Path /dev, attr none, value none, result NOT_GRANTED (Softmode) by RC

Policy for role ``Init``:
  rc_set_item ROLE 4 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CHDIR CLOSE CREATE DELETE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA LINK_HARD MODIFY_ACCESS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN RENAME SEARCH TRUNCATE UMOUNT WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK
  rc_set_item ROLE 4 type_comp_fd 2 CLOSE DELETE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN
  rc_set_item ROLE 4 type_comp_dev 0 ADD_TO_KERNEL CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN UMOUNT WRITE WRITE_OPEN IOCTL
  rc_set_item ROLE 4 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH
  rc_set_item ROLE 4 type_comp_process 0 CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA SEND_SIGNAL
  rc_set_item ROLE 4 type_comp_ipc 0 CLOSE CREATE MODIFY_SYSTEM_DATA READ WRITE LISTEN SEND NET_SHUTDOWN
  rc_set_item ROLE 4 type_comp_scd 0 MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 1 MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 2 MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 6 MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 8 MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 10 SHUTDOWN SWITCH_LOG
  rc_set_item ROLE 4 type_comp_scd 12 MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 14 MODIFY_ATTRIBUTE MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_scd 15 GET_STATUS_DATA MODIFY_SYSTEM_DATA
  rc_set_item ROLE 4 type_comp_group 0 READ SEARCH
  rc_set_item ROLE 4 type_comp_netdev 0 GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND
  rc_set_item ROLE 4 type_comp_netobj 0 CLOSE CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND LISTEN CONNECT SEND RECEIVE IOCTL
  rc_set_item ROLE 4 type_comp_fd 7 SEARCH


Need to send data to ``rc_type_fd 10`` which is defined as filecreate from RC role ``Syslog``.
  rc_set_item ROLE 4 type_comp_fd 10 CONNECT SEND

Need access to ``rc_type_fd 4`` which assigned to ``/var/log``.
  rc_set_item ROLE 4 type_comp_fd 4 APPEND_OPEN CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC LOCK

Need access to ``rc_type_fd 5`` which assigned to ``/var/run``.
  rc_set_item ROLE 4 type_comp_fd 5 CHANGE_OWNER CHDIR CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN LOCK




===== Private Homedirectories ======
== Setup RC fd-types ==
To obtain a rigth of privacy Iam associate the rc-type with rc-role and set the rc-type-fd on users homedirectory.

My System has a security user which has ``uid`` and ``gid`` 400 and its homedirectory is situated on ``/security``.

**Security-User**
  attr_set_file_dir DIR "/security" rc_type_fd 1
This protects for visiting the rootuser this directory.
Create a new ``rc_type_group`` for group.
  rc_set_item TYPE 1 type_group_name "Security_Group"
Now i apply this ``rc_types`` to RC role 1
  rc_set_item ROLE 1 def_fd_create_type 1
  rc_set_item ROLE 1 def_fd_ind_create_type 1 1
  rc_set_item ROLE 1 def_user_create_type 1
  rc_set_item ROLE 1 def_process_create_type 1
  rc_set_item ROLE 1 def_process_chown_type 1
  rc_set_item ROLE 1 def_process_execute_type 1
  rc_set_item ROLE 1 def_ipc_create_type 1
  rc_set_item ROLE 1 def_group_create_type 1
  rc_set_item ROLE 1 def_unixsock_create_type 1
  
**Root-user**

The same Iam doing for the rootuser directory.
  attr_set_file_dir DIR "/root" rc_type_fd 2

Extend Policy RC role ``System Admin``:
Need access to ``rc_type_fd 5`` which is assigned on ``/var/run``.
  rc_set_item ROLE 2 type_comp_fd 5 CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN SEARCH WRITE WRITE_OPEN LOCK



==== Example for an unprileged user ====
== User with uid 1000 ==
Iam creating a RC role ``Jens`` and ``rc_types``, and assign them to the user with ``uid 1000``.

  rc_set_item ROLE 1000 name "Jens"
  rc_set_item TYPE 1000 type_fd_name "Jens_FD"
  rc_set_item TYPE 1000 type_fdsd_name "Jens_FDSD"
  rc_set_item TYPE 1000 type_dev_name "Jens_DEV"
  rc_set_item TYPE 1000 type_user_name "Jens_USER"
  rc_set_item TYPE 1000 type_group_name "Jens_GROUP"
  rc_set_item TYPE 1000 type_process_name "Jens_PROCESS"
  rc_set_item TYPE 1000 type_ipc_name "Jens_IPC"
  rc_set_item TYPE 1000 type_netdev_name "Jens_NETDEV"
  rc_set_item TYPE 1000 type_nettemp_name "Jens_NETTEMP"
  rc_set_item TYPE 1000 type_netobj_name "Jens_NETOBJ"  
  rc_set_item ROLE 1000 def_fd_create_type 1000
  rc_set_item ROLE 1000 def_fd_ind_create_type 1000 1000
  rc_set_item ROLE 1000 def_user_create_type 1000
  rc_set_item ROLE 1000 def_process_create_type 1000
  rc_set_item ROLE 1000 def_process_chown_type 1000
  rc_set_item ROLE 1000 def_process_execute_type 1000
  rc_set_item ROLE 1000 def_ipc_create_type 1000
  rc_set_item ROLE 1000 def_group_create_type 1000
  rc_set_item ROLE 1000 def_unixsock_create_type 1000
  attr_set_user jens rc_def_role 1000
  attr_set_user jens rc_type 1000
  attr_set_file_dir DIR "/home/jens" rc_type_fd 1000

Policy for RC role ``Jens``(1000): 
  rc_set_item ROLE 1000 type_comp_fd 1000 APPEND_OPEN CHDIR CLOSE CREATE DELETE EXECUTE GET_STATUS_DATA MODIFY_ACCESS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC
  rc_set_item ROLE 1000 type_comp_user 1000 GET_STATUS_DATA SEARCH
  rc_set_item ROLE 1000 type_comp_ipc 1000 CLOSE CREATE READ WRITE
  rc_set_item ROLE 1000 type_comp_process 1000 CREATE MODIFY_SYSTEM_DATA
  rc_set_item ROLE 1000 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN WRITE WRITE_OPEN IOCTL
  rc_set_item ROLE 1000 type_comp_fd 0 CHDIR CLOSE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA READ READ_OPEN SEARCH WRITE MAP_EXEC LOCK
  rc_set_item ROLE 1000 type_comp_ipc 0 CLOSE READ
  rc_set_item ROLE 1000 type_comp_process 0 MODIFY_SYSTEM_DATA

When this user should allow to login on tty also, then Policy for RC role [[wiki:experiences/igraltist/rc/login#Local Login|``Login``]] have to extend for for RC role ``Jens``(1000). 
  rc_set_item ROLE 5 type_comp_user 1000 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER