wiki:experiences:igraltist:rc_old
=>  Releases

Current version
Git/Snapshot: 1.5.3
Release: 1.5.0

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

This is an old revision of the document!


RC Module

RC Testsetup

Prepare the System to get more verbose description what is missing on RC you should set this debug options. Append in the ``/boot/grub/menu.lst`` for the used rsbac-kernel on line ``kernel``

rsbac_softmode rsbac_nosyslog rsbac_cap_process_hiding rsbac_debug_adf_auth rsbac_debug_adf_rc rsbac_debug_adf_jail rsbac_debug_adf_um rsbac_debug_jail_log_missing_rbsac_debug_cap_log_missing 

This can enter on grubs promt too.

Default RSBAC with RC module is used this roles:

  • Gerneral_User 0
  • Role_Admin 1
  • System_Admin 2
  • Auditor 3

to run the system.

The permission for this roles are hardcoded in RSBAC code itself. Otherwise the system wont work. Bevor set any specific RC role for a service you can detach the default running ``Boot-Role``. For this you can create a Role ``Init``.

Short explanation

On a binary are always two roles, an initial- and force-role.
The initial-role is used to start a service, for this its need permission to read the necessary configurationfiles.
The force-role is used to run this service, there is usally no reason for permission to read the configurationfiles as example.

However, if a service not chown to other user, the process is running alway with the initial-role. This is surly the case for the init process. So thatswhy this setup firstly.

Init

RC role on init (optional but nice to have)

The ``init`` never change to a force role so no reason to build such one.

Now i start and do this: set a rc-role named ``Init`` as initial-role on ``/sbin/init``.

see setup: RC role for init process

rc_set_item ROpLE 4 name "Init"
attr_set_file_dir FILE "/sbin/init" rc_initial_role 4

Create two new ``rc_type_fd``

rc_set_item TYPE 4 type_fd_name "VarLog_FD"
rc_set_item TYPE 5 type_fd_name "VarRun_FD"  

Assign this to ``/var/log`` and ``/var/run``.

attr_set_file_dir DIR "/var/log" rc_type_fd 4
attr_set_file_dir DIR "/var/run" rc_type_fd 5

After reboot the system, the logfile print such:

Fri May  1 13:12:47 2009 :<7>0000460885|check_comp_rc(): pid 1 (init), owner 0, rc_role 4, DIR rc_type 0, request SEARCH -> NOT_GRANTED!
Fri May  1 13:12:47 2009 :<6>0000460886|rsbac_adf_request(): request SEARCH, pid 1, ppid 0, prog_name init, prog_file /sbin/init, uid 0, target_type DIR, tid Device 00:12 Inode 74 Path /dev, attr none, value none, result NOT_GRANTED (Softmode) by RC

Policy for role ``Init``:

rc_set_item ROLE 4 type_comp_fd 0 APPEND_OPEN CHANGE_OWNER CHDIR CLOSE CREATE DELETE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA LINK_HARD MODIFY_ACCESS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN RENAME SEARCH TRUNCATE UMOUNT WRITE WRITE_OPEN MAP_EXEC CONNECT SEND LOCK
rc_set_item ROLE 4 type_comp_fd 2 CLOSE DELETE EXECUTE GET_STATUS_DATA READ READ_WRITE_OPEN READ_OPEN
rc_set_item ROLE 4 type_comp_dev 0 ADD_TO_KERNEL CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA MOUNT READ READ_WRITE_OPEN READ_OPEN UMOUNT WRITE WRITE_OPEN IOCTL
rc_set_item ROLE 4 type_comp_user 0 CHANGE_OWNER GET_STATUS_DATA SEARCH
rc_set_item ROLE 4 type_comp_process 0 CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA SEND_SIGNAL
rc_set_item ROLE 4 type_comp_ipc 0 CLOSE CREATE MODIFY_SYSTEM_DATA READ WRITE LISTEN SEND NET_SHUTDOWN
rc_set_item ROLE 4 type_comp_scd 0 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 1 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 2 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 6 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 8 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 10 SHUTDOWN SWITCH_LOG
rc_set_item ROLE 4 type_comp_scd 12 MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 14 MODIFY_ATTRIBUTE MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_scd 15 GET_STATUS_DATA MODIFY_SYSTEM_DATA
rc_set_item ROLE 4 type_comp_group 0 READ SEARCH
rc_set_item ROLE 4 type_comp_netdev 0 GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND
rc_set_item ROLE 4 type_comp_netobj 0 CLOSE CREATE GET_STATUS_DATA MODIFY_SYSTEM_DATA BIND LISTEN CONNECT SEND RECEIVE IOCTL
rc_set_item ROLE 4 type_comp_fd 7 SEARCH

Need to send data to ``rc_type_fd 10`` which is defined as filecreate from RC role ``Syslog``.

rc_set_item ROLE 4 type_comp_fd 10 CONNECT SEND

Need access to ``rc_type_fd 4`` which assigned to ``/var/log``.

rc_set_item ROLE 4 type_comp_fd 4 APPEND_OPEN CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC LOCK

Need access to ``rc_type_fd 5`` which assigned to ``/var/run``.

rc_set_item ROLE 4 type_comp_fd 5 CHANGE_OWNER CHDIR CLOSE CREATE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN LOCK

Private Homedirectories

Setup RC fd-types

To obtain a rigth of privacy Iam associate the rc-type with rc-role and set the rc-type-fd on users homedirectory.

My System has a security user which has ``uid`` and ``gid`` 400 and its homedirectory is situated on ``/security``.

Security-User

attr_set_file_dir DIR "/security" rc_type_fd 1

This protects for visiting the rootuser this directory. Create a new ``rc_type_group`` for group.

rc_set_item TYPE 1 type_group_name "Security_Group"

Now i apply this ``rc_types`` to RC role 1

rc_set_item ROLE 1 def_fd_create_type 1
rc_set_item ROLE 1 def_fd_ind_create_type 1 1
rc_set_item ROLE 1 def_user_create_type 1
rc_set_item ROLE 1 def_process_create_type 1
rc_set_item ROLE 1 def_process_chown_type 1
rc_set_item ROLE 1 def_process_execute_type 1
rc_set_item ROLE 1 def_ipc_create_type 1
rc_set_item ROLE 1 def_group_create_type 1
rc_set_item ROLE 1 def_unixsock_create_type 1

Root-user

The same Iam doing for the rootuser directory.

attr_set_file_dir DIR "/root" rc_type_fd 2

Extend Policy RC role ``System Admin``: Need access to ``rc_type_fd 5`` which is assigned on ``/var/run``.

rc_set_item ROLE 2 type_comp_fd 5 CLOSE CREATE DELETE GET_STATUS_DATA READ READ_WRITE_OPEN SEARCH WRITE WRITE_OPEN LOCK

Example for an unprileged user

User with uid 1000

Iam creating a RC role ``Jens`` and ``rc_types``, and assign them to the user with ``uid 1000``.

rc_set_item ROLE 1000 name "Jens"
rc_set_item TYPE 1000 type_fd_name "Jens_FD"
rc_set_item TYPE 1000 type_fdsd_name "Jens_FDSD"
rc_set_item TYPE 1000 type_dev_name "Jens_DEV"
rc_set_item TYPE 1000 type_user_name "Jens_USER"
rc_set_item TYPE 1000 type_group_name "Jens_GROUP"
rc_set_item TYPE 1000 type_process_name "Jens_PROCESS"
rc_set_item TYPE 1000 type_ipc_name "Jens_IPC"
rc_set_item TYPE 1000 type_netdev_name "Jens_NETDEV"
rc_set_item TYPE 1000 type_nettemp_name "Jens_NETTEMP"
rc_set_item TYPE 1000 type_netobj_name "Jens_NETOBJ"  
rc_set_item ROLE 1000 def_fd_create_type 1000
rc_set_item ROLE 1000 def_fd_ind_create_type 1000 1000
rc_set_item ROLE 1000 def_user_create_type 1000
rc_set_item ROLE 1000 def_process_create_type 1000
rc_set_item ROLE 1000 def_process_chown_type 1000
rc_set_item ROLE 1000 def_process_execute_type 1000
rc_set_item ROLE 1000 def_ipc_create_type 1000
rc_set_item ROLE 1000 def_group_create_type 1000
rc_set_item ROLE 1000 def_unixsock_create_type 1000
attr_set_user jens rc_def_role 1000
attr_set_user jens rc_type 1000
attr_set_file_dir DIR "/home/jens" rc_type_fd 1000

Policy for RC role ``Jens``(1000):

rc_set_item ROLE 1000 type_comp_fd 1000 APPEND_OPEN CHDIR CLOSE CREATE DELETE EXECUTE GET_STATUS_DATA MODIFY_ACCESS_DATA READ READ_WRITE_OPEN READ_OPEN SEARCH TRUNCATE WRITE WRITE_OPEN MAP_EXEC
rc_set_item ROLE 1000 type_comp_user 1000 GET_STATUS_DATA SEARCH
rc_set_item ROLE 1000 type_comp_ipc 1000 CLOSE CREATE READ WRITE
rc_set_item ROLE 1000 type_comp_process 1000 CREATE MODIFY_SYSTEM_DATA
rc_set_item ROLE 1000 type_comp_dev 0 CLOSE GET_PERMISSIONS_DATA GET_STATUS_DATA MODIFY_PERMISSIONS_DATA READ READ_WRITE_OPEN READ_OPEN WRITE WRITE_OPEN IOCTL
rc_set_item ROLE 1000 type_comp_fd 0 CHDIR CLOSE EXECUTE GET_PERMISSIONS_DATA GET_STATUS_DATA READ READ_OPEN SEARCH WRITE MAP_EXEC LOCK
rc_set_item ROLE 1000 type_comp_ipc 0 CLOSE READ
rc_set_item ROLE 1000 type_comp_process 0 MODIFY_SYSTEM_DATA

When this user should allow to login on tty also, then Policy for RC role ``Login`` have to extend for for RC role ``Jens``(1000).

rc_set_item ROLE 5 type_comp_user 1000 CHANGE_OWNER GET_STATUS_DATA SEARCH CHANGE_AUTHED_OWNER
//
wiki/experiences/igraltist/rc_old.1315762635.txt.gz · Last modified: 2011/09/11 19:37 by 127.0.0.1

wiki/experiences/igraltist/rc_old.1315762635.txt.gz · Last modified: 2011/09/11 19:37 by 127.0.0.1
This website is kindly hosted by m-privacy