Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
This is an old revision of the document!
Table of Contents
Back to igraltist's experiences /RSBAC RC
RC Module
Short explanation
Default RSBAC with RC module is using this roles:
- Gerneral_User 0
- Role_Admin 1
- System_Admin 2
- Auditor 3
to run the system.
The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work. Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``. For this you can create a Role ``Init``.
On a binary are always two roles, an initial- and force-role.
The initial-role is used to start a service, for this its need permission to read the necessary configurationfiles.
The force-role is used to run this service, there is usally no reason for permission to read the configurationfiles as example.
However, if a service not chown to other user, the process is running alway with the initial-role. This is surly the case for the init process. So thatswhy this setup firstly.
Init
RC role for init process
The ``init`` never change to a force role, so therefor no reason to build such one.
Save this as shell script.
# init detached BOOT_ROLE 999999
TYPE=100
ROLE=100
FILE="/sbin/init"
NAME="Init"
# create role
rc_set_item ROLE ${ROLE} name "${NAME}"
# set rc_fd_types
rc_set_item TYPE ${TYPE} type_netdev_name "${NAME}_NETDEV"
rc_set_item TYPE ${TYPE} type_nettemp_name "${NAME}_NETDEV"
rc_set_item TYPE ${TYPE} type_netobj_name "${NAME}_NETOBJ"
rc_set_item TYPE ${TYPE} type_user_name "${NAME}_User"
rc_set_item TYPE ${TYPE} type_group_name "${NAME}_Group"
rc_set_item TYPE ${TYPE} type_ipc_name "${NAME}_IPC"
rc_set_item TYPE ${TYPE} type_process_name "${NAME}_Process"
rc_set_item TYPE ${TYPE} type_fd_name "${NAME}_FD"
rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_chown_type ${TYPE}
rc_set_item ROLE ${ROLE} def_process_execute_type ${TYPE}
rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE}
rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} ${TYPE}
rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE}
# assign init role to file
attr_set_file_dir FILE "${FILE}" rc_initial_role ${ROLE}
Toplevel Directories
Create a RC policy from scratch
Test Setup for using the RC Module.
This setup is now deprecated (25.02.2010)
- Setup for login (local and remote examples)
- Setup for webserver (apache2 as exemple)
It can be generated with
rc_get_item -v -p htmlprint > rc_03.05.2009.html
A nice overview