Introduction to RC

Reconfiguring the kernel

Decision module (policy) options
[] [ ] --- [] [] [] [ ] [] [ ] [] [] [] [*] [ ]	Support for Registration of decision modules (REG) Build REG sample modules ------------------------- RSBAC support for AUTH policy AUTH Policy Options ---> RSBAC support for RC policy RC Policy Options ---> RSBAC support for ACL policy ACL Policy Options ---> RSBAC support for MAC policy RSBAC support for PAX policy PAX Policy Options ---> RSBAC support for DAZuko policy RSBAC support for Linux Caps (CAP) policy CAP Policy Options ---> RSBAC support for JAIL policy JAIL Policy Options ---> RSBAC support for System Resources (RES) policy RSBAC support for FF policy FF Policy Options ---> RSBAC support for PM policy

RC Policy Options
[] [] [] [ ] [] [] [] (4) (999999)	RC protection for AUTH module RC protection for User Management RC protection for GENeral attributes Provide RC backup files RC network device protection RC network object protection RC check access to UNIX partner process RC number of process lists RC kernel process type

CAP Policy Options
[] [] [*]	Support CAP process hiding CAP protection for AUTH module Log missing capabilities in capable()

JAIL Policy Options
[] [] (4) [*]	JAIL allow to auto-adjust INET ANY (0.0.0.0) address JAIL network device protection JAIL number of process lists Log missing capabilities in capable()

FF Policy Options
[] [] [ ]	FF protection for AUTH module FF protection for User Management FF protection for GENeral attributes

Types, roles and compatibility

Before starting to configure the RC component of RSBAC it is worth describing the architecture in some detail. A thorough understanding of these concepts is vital if a secure RC solution is to be implemented.

Types

In RSBAC an RC type refers to a named class of object.

In more simple terms an RC type is a label assigned to an object, such as a file or a socket. Each object can be assigned a single RC type which is then referred to as the object's Role Compatibility Type.

RC types are administered using the rsbac_rc_type_menu application.

RC types are assigned to objects using the rsbac_fd_menu, rsbac_dev_menu, rsbac_netdev_menu and rsbac_nettemp_menu application depending on their class.

Roles

An RC role refers to a type of activity.

Roles may be created to encompass whatever kinds of activities are performed by each class of user. For example, you may create a role for General Users, a role for the Auditor and a role for System Administration. In fact these roles are so common they are included in the default configuration.

Every user has a default RC role as well as other roles used by the different RSBAC modules. The most important of these additional roles is the AUTH role which we shall be examining in more detail later.

RC roles are managed using the rsbac_rc_role_menu application.

Compatibility

Compatibility between roles and types is the interface point at which permissions are assigned.

When a Type Compatibility is added between a Role and a Type the permissions specified on that mapping become the effective permissions on that object for any user in that role.

Role Compatibility is assigned through the rsbac_rc_role_menu application by selecting the role and then using the Type Comp matrices to specify the permissions for each object class and type.

Know your role

Sometimes when working with the RC model it can be confusing as to just which role a user is currently in. This is especially true as users can use su to change user without necessarily changing role and can use rc_role_wrap to change role without changing user.

To make things easier we can add our role to the prompt by editing the system-wide shell profile located in /etc/profile and adding the following to the bottom of that file.

/etc/profile

# Prepend current RC role to prompt

rolenum=$(rc_get_current_role | awk '{ print $5 }')
role=$(rc_get_item ROLE $rolenum name)

export PS1="($role) $PS1"

If you have added the Staging/Production flag to the prompt then the above code should be inserted before that code so that the flag remains at the start of the prompt line.

This will do exactly what the comment says and prepend the current RC role to the prompt as shown below. Remember to run source /etc/profile to load the changes into your current shell.

(System Admin) lisa ~ #

We shall not show the role on the prompt unless we are demonstrating a command which will result in either a change when none was expected or no change when one would normally have been expected.