|
|
|
|
|
|
|
|
|
|
Before starting to configure the RC component of RSBAC it is worth describing the architecture in some detail. A thorough understanding of these concepts is vital if a secure RC solution is to be implemented.
In RSBAC an RC type refers to a named class of object.
In more simple terms an RC type is a label assigned to an object, such as a file or a socket. Each object can be assigned a single RC type which is then referred to as the object's Role Compatibility Type.
RC types are administered using the rsbac_rc_type_menu application.
RC types are assigned to objects using the rsbac_fd_menu, rsbac_dev_menu, rsbac_netdev_menu and rsbac_nettemp_menu application depending on their class.
An RC role refers to a type of activity.
Roles may be created to encompass whatever kinds of activities are performed by each class of user. For example, you may create a role for General Users, a role for the Auditor and a role for System Administration. In fact these roles are so common they are included in the default configuration.
Every user has a default RC role as well as other roles used by the different RSBAC modules. The most important of these additional roles is the AUTH role which we shall be examining in more detail later.
RC roles are managed using the rsbac_rc_role_menu application.
Compatibility between roles and types is the interface point at which permissions are assigned.
When a Type Compatibility is added between a Role and a Type the permissions specified on that mapping become the effective permissions on that object for any user in that role.
Role Compatibility is assigned through the rsbac_rc_role_menu application by selecting the role and then using the Type Comp matrices to specify the permissions for each object class and type.
Sometimes when working with the RC model it can be confusing as to just which role a user is currently in. This is especially true as users can use su to change user without necessarily changing role and can use rc_role_wrap to change role without changing user.
To make things easier we can add our role to the prompt by editing the system-wide shell profile located in /etc/profile and adding the following to the bottom of that file.
# Prepend current RC role to prompt
rolenum=$(rc_get_current_role | awk '{ print $5 }')
role=$(rc_get_item ROLE $rolenum name)
export PS1="($role) $PS1"
This will do exactly what the comment says and prepend the current RC role to the prompt as shown below. Remember to run source /etc/profile to load the changes into your current shell.