next up previous
Next: Service Encapsulation Up: Application Example Previous: Application Example

Base Protection

Those parts of the RSBAC and RC access control setup, which are applicable for all types of systems, are called Base Protection. Objects to be protected include the basic directory structure, executables, libraries, configuration files, kernel objects and boot loaders, raw devices, account and authentication data, log files, home directories etc.

Generally, for each of these object categories one RC type gets defined and assigned to the individual objects, and all existing roles get appropiate type compatibility settings to these types.

As an example, the type Executables is assigned to the directories /bin and /usr/bin, which contain executable files. All of these then inherit the effective type Executables. As soon as the type compatibilities of all roles to this type are set accordingly, executables are fully protected. Furthermore, after setting all desired executables to this type, one can safely remove the execute right to all other types and thus avoid any execution of unprotected and possibly malicious files.

Amon Ott