[[wiki:experiences/igraltist/run-jail#syntax_for_jail_configuration_file|Back to igraltist's run-jail]]

First enable jail debugging, if it not done already.

As security user open a second terminal and execut:
<code bash>
echo debug_adf_jail 1 > /proc/rsbac-info/debug
</code>

Then visit the log message via proc
<code bash>
cat /proc/rsbac-info/rmsg
</code>
or from the log daemon:
<code bash>
tail -f /security/log/security-log
</code>





===== Prepar dhcpd daemon init script =====
On this stage all files are install. This approach can use on most services too. I use the dhcpd to perform it.

  * Prepare the init script
  * Search for start routine, it could similar to this, depends on your distribution
<code bash>
     start-stop-daemon --start --exec /usr/sbin/dhcpd \
        --pidfile "${DHCPD_CHROOT}/${pidfile}" \
        -- ${DHCPD_OPTS} -q -pf "${pidfile}" \
        -user dhcp -group dhcp \
        ${DHCPD_CHROOT:+-chroot} ${DHCPD_CHROOT} ${DHCPD_IFACE}

</code>
  * Insert into front run-jail pdnsd
<code bash>
     run-jail dhcpd start-stop-daemon --start --exec /usr/sbin/dhcpd \
        --pidfile "${DHCPD_CHROOT}/${pidfile}" \
        -- ${DHCPD_OPTS} -q -pf "${pidfile}" \
        -user dhcp -group dhcp \
        ${DHCPD_CHROOT:+-chroot} ${DHCPD_CHROOT} ${DHCPD_IFACE}
</code>

From now on the command below start the daemon in a jail.
<code bash>
/etc/init.d/dhcpd start
</code>














===== Prepar dhcpd jail configuration file =====
The jail configuration directory is '/etc/rsbac/jail'.\\
Rename the dhcpd configuration file and start with an empty file.
<code bash>
mv /etc/rsbac/jail/dhcpd /etc/rsbac/jail/dhcpd_orgin
</code>

Create an empty jail configuration file:
<code bash>
create-jail -c dhcpd
</code>

Open the new file /etc/rsbac/jail/dhcpd with an editor.
<code bash>
;
; RSBAC JAIL definition for dhcpd
; 2012-13-05
;
; test by: Jens Kasten
; run on: Gentoo Base System (2.0.3)
;

""
"0.0.0.0"
()
()
()
()
</code>

Open a new terminal to observe the log messages.\\
Now stop and start the daemon and watch the log messages.

A few stop and start with the daemon init script are nessesary to obtain all values.
After examine the messages, in your before opened terminal, the dhcpd jail configuration file can look like:
<code bash>
;
; RSBAC JAIL definition for dhcpd 
; 2011-16-11
;
; test by: Jens Kasten
; run on: debian (6.0.3)
;

""
"0.0.0.0"
(allow-dev-write
 allow-dev-read
 allow-external-ipc
 allow-all-net-family
 allow-inet-raw)
(net-bind-service
 net-raw
 sys-chroot
 dac-override
 chown
 setgid 
 setuid)
()
()
</code>

To check the jail use:
<code bash>
ps-jail -p dhcpd
</code>

The output should similar:
<code bash>
|Jail ID: 284| Program: dhcpd| PID: 7309| Jail IP: 0.0.0.0
|Jail Flags: allow-external-ipc, allow-dev-read, allow-inet-raw, allow-all-net-family, allow-dev-write
|Jail Max Caps: setuid, dac-override, net-bind-service, chown, net-raw, setgid, sys-chroot
</code>






































===== Interprate log messages =====
__
Jail Flags__
<code bash>
1. Wed Jan 12 18:06:34 2011 :<6>0000000288|rsbac_adf_request(): request READ_OPEN, pid 8143, ppid 1, prog_name apcupsd, prog_file /sbin/apcupsd, uid 0, target_type DEV, tid char 05:01, attr open_flag, value 33025, result NOT_GRANTED by JAIL
2. Tue Jan 11 15:52:50 2011 :<6>0000000235|rsbac_adf_request(): request WRITE_OPEN, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32770, result NOT_GRANTED by JAIL
3. Tue Jan 11 15:52:50 2011 :<7>0000000236|rsbac_adf_request_jail(): process jail 40 does not match partner process jail 32, parent jail is 0 -> NOT_GRANTED!
4. Tue Jan 11 15:52:50 2011 :<6>0000000238|rsbac_adf_request(): request CREATE, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff88021a54ad80 INET RAW proto ICMP local 0.0.0.0:1 remote 0.0.0.0:0, attr sock_type, value RAW, result NOT_GRANTED by JAIL
5. Tue Jan 11 16:07:08 2011 :<6>0000000244|rsbac_adf_request(): request CREATE, pid 16620, ppid 16619, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff88021fbcd680 PACKET PACKET, attr sock_type, value PACKET, result NOT_GRANTED by JAIL
6. Wed Jan 12 17:14:26 2011 :<7>0000000266|rsbac_adf_request_jail(): network family is NETLINK and neither allow_netlink nor allow_all_net_family is set -> NOT_GRANTED!
7. Thu Jan 13 07:10:27 2011 :<7>0000000580|jail_check_ip(): local_addr does not match jail_ip -> NOT_GRANTED!
8. Thu Jan 13 07:10:27 2011 :<6>0000000581|rsbac_adf_request(): request BIND, pid 22214, ppid 1, prog_name portmap, prog_file /sbin/portmap, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff880189d8e6c0 INET DGRAM proto UDP local 0.0.0.0:766 remote 0.0.0.0:0, attr sock_type, value DGRAM, result NOT_GRANTED by JAIL
9. Thu Jan 13 07:10:27 2011 :<6>0000000585|rsbac_adf_request(): request BIND, pid 22214, ppid 1, prog_name portmap, prog_file /sbin/portmap, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff880189d8e900 INET STREAM proto TCP local 0.0.0.0:767 remote 0.0.0.0:0, attr sock_type, value STREAM, result NOT_GRANTED by JAIL
10. Sun Jan 16 14:15:10 2011 :<6>0000000855|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8436, ppid 1, prog_name debian, prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 253:18, attr ioctl_cmd, value 2149581316, result NOT_GRANTED by JAIL
11. Thu Jun 30 08:12:32 2011 :<7>0000000142|rsbac_adf_request_jail(): process jail 4 does not match IPC object jail 9 -> NOT_GRANTED!
Thu Jun 30 08:12:32 2011 :<6>0000000143|rsbac_adf_request(): request RECEIVE, pid 5125, ppid 5124, prog_name syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, target_type IPC, tid AnonUnix-ID 10959, attr process, value 7075(ntpd,parent=1(init)), result NOT_GRANTED by JAIL
</code>
\\
^Point^Request^Target type^Identifier^Paramater to grant^RSBAC^
|1.|READ_OPEN|DEV|attr open_flag|allow-dev-read|-d|
|2.|WRITE_OPEN|DEV|attr open_flag|allow-dev-write|-D| 
|3.|-|-|does not match partner process jail|allow-external-ipc|-i|
|4.|CREATE|NETOBJ|attr sock_type, value RAW|DEVallow-inet-raw|-r|
|5.|CREATE|NETOBJ|attr sock_type, value PACKET|allow-all-net-family|-n|
|6.|-|-|network family is NETLINK and neither allow_netlink nor allow_all_net_family is set|allow-netlink|-K|
|7.|-|-|local_addr does not match jail_ip|auto-adjust-ip-address|-a|
|8.-9.|||is depend on point 6. and is this allow the this disappers|-|-|
|10.|MODIFY_SYSTEM_DATA|DEV|attr ioctl_cmd|allow-dev-mod-system|-E|
|11.|RECEIVE|IPC|attr process|allow-external-ipc|-P|
\\
__
Jail Capabilities__
<code bash>
1. Tue Jan 11 15:52:50 2011 :<6>0000000237|rsbac_adf_request(): request CONNECT, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type UNIXSOCK, tid Device 00:05 Inode 20741 Path /dev/log, attr process, value 14437(rsyslogd,parent=1(init)), result NOT_GRANTED by JAIL
2. Tue Jan 11 15:56:19 2011 :<7>0000000240|capable(): pid 16229(dhcpd), uid 0: missing jail_max_cap SYS_CHROOT!
3. Tue Jan 11 16:02:24 2011 :<7>0000000242|capable(): pid 16386(dhcpd), uid 0: missing jail_max_cap DAC_OVERRIDE!
4. Tue Jan 11 16:04:40 2011 :<7>0000000243|capable(): pid 16511(dhcpd), uid 0: missing jail_max_cap CHOWN!
5. Wed Jan 12 16:26:51 2011 :<7>0000000261|capable(): pid 24423(dhcpd), uid 0: missing jail_max_cap NET_BIND_SERVICE!
6. Wed Jan 12 16:28:38 2011 :<7>0000000262|capable(): pid 24540(dhcpd), uid 0: missing jail_max_cap SETGID!
7. Wed Jan 12 16:30:21 2011 :<7>0000000263|capable(): pid 24666(dhcpd), uid 0: missing jail_max_cap SETUID!
8. Thu Jan 13 08:36:30 2011 :<7>0000000691|capable(): pid 17897(master), uid 0: missing jail_max_cap KILL!
9. Sun Jan 16 11:44:57 2011 :<7>0000000799|capable(): pid 5301(debian), uid 0: missing jail_max_cap 
DAC_READ_SEAR
10. Sun Jan 16 11:46:57 2011 :<7>0000000800|capable(): pid 5373(debian), uid 0: missing jail_max_cap NET_ADMIN!
</code>
\\
^Point^Request^Target or Identifier^Paramater to grant^RSBAC^
|1.|CONNECT|target UNIXSOCK, attr PROCESS|net-raw|NET_RAW|
|2.|SYS_CHROOT|missing jail_max_cap|sys-chroot|SYS_CHROOT|
|3.|DAC_OVERRIDE|missing jail_max_cap|dac-override|DAC_OVERRIDE|
|4.|CHOWN|missing jail_max_cap|chown|CHOWN|
|5.|NET_BIND_SERVICE|missing jail_max_cap|net-bind-service|NET_BIND_SERVICE|
|6.|SETGID|missing jail_max_cap|setgid|SETGID|
|7.|SETUID|missing jail_max_cap|setuid|SETUID|
|8.|KILL|missing jail_max_cap|kill|KILL|
|9.|DAC_READ_SEARCH|missing jail_max_cap|dac-read-search|DAC_OVERRIDE|
|10.|NET_ADMIN|missing jail max_cap|net-admin|NET_ADMIN|
\\
__Jaill SCD READ__
<code bash>
1. Wed Jan 12 17:58:47 2011 :<6>0000000284|rsbac_adf_request(): request GET_STATUS_DATA, pid 32316, ppid 1, prog_name rklogd, prog_file /usr/local/sbin/rklogd, uid 400, remote ip 192.168.1.5, target_type SCD, tid rsbac_log, attr none, value none, result NOT_GRANTED by JAIL
</code> 
\\
^Point^Request^Target type^Identifier^Paramater to grant^RSBAC^
|1.|GET_STATUS_DATA|SCD|rsbac_log|rsbac-log|rsbac_log|
\\
__Jail SCD Modify__
<code bash>
1. Thu Jan 13 06:53:01 2011 :<6>0000000555|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 21351, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 0, remote ip 192.168.1.5, target_type SCD, tid time_strucs, attr none, value none, result NOT_GRANTED by JAIL
2. Thu Jan 13 06:53:02 2011 :<6>0000000579|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 21351, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 123, remote ip 192.168.1.5, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by JAIL
3. Thu Jan 13 08:33:05 2011 :<6>0000000689|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 17313, ppid 1, prog_name master, prog_file /usr/lib64/postfix/master, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr rlimit, value 7:1024:1024, result NOT_GRANTED by JAIL
4. Sat Jan 15 17:30:30 2011 :<6>0000000108|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8498, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 123, target_type SCD, tid clock, attr none, value none, result NOT_GRANTED by JAIL
</code>
\\
^Point^Request^Target or Identifier^Paramater to grant^RSBAC^
|1.|MODIFY_SYSTEM_DATA|target SCD, tid time_strucs|time-strucs|TIME_STRUCS|
|2.|MODIFY_SYSTEM_DATA|target SCD, tid capability|capability|CAPABILITY|
|3.|MODIFY_SYSTEM_DATA|target SCD, tid rlimit|rlimit|RLIMIT|
|4.|MODIFY_SYSTEM_DATA|target SCD, tid clock|clock|CLOCK|