################################################# # RC Setup # # Version: 0.1 # # Author: Jens Kasten # # Date: 05-10-2013 # # Description: Script that setup all # # on a gentoo system to let the system boot # # into secmode. Based on a server system. # # More services have to be to add # # Other modules should already proper # # configured. # ################################################# ################################################# # InitRole # ################################################# # detache the boot role # create a init role, copy boot role to init role # later can reduce the rights rc_copy_role 999999 4 rc_set_item ROLE 4 name "InitRole" # disable boot role rc_set_item ROLE 4 boot_role 0 # set fd to to 2 rc_set_item ROLE 4 admin_type 2 # assign role 4 to init attr_set_file_dir FILE "/sbin/init" rc_initial_role 4 ################################################# # RootRole # ################################################# # create a role for root user, copy from default rc_copy_role 0 5 rc_set_item ROLE 5 name "RootRole" # set the default role for root user to RootRole attr_set_user root rc_def_role 5 ################################################# # general fd # ################################################# # set general fd type to / attr_set_file_dir DIR "/" rc_type_fd 0 # unset all for general user rc_set_item ROLE 0 type_comp_fd 0 UA # set read requests for general user on fd 0 rc_set_item ROLE 0 type_comp_fd 0 R ################################################# # Securtiy Role # ################################################# # set read request to General FD rc_set_item ROLE 1 type_comp_fd 0 UA rc_set_item ROLE 1 type_comp_fd 0 ADMIN ASSIGN ACCESS_CONTROL SUPERVISOR MODIFY_AUTH CHANGE_AUTHED_OWNER SELECT R # set read, execute request to Executables rc_set_item ROLE 1 type_comp_fd 3 UA rc_set_item ROLE 1 type_comp_fd 3 ADMIN ASSIGN ACCESS_CONTROL SUPERVISOR MODIFY_AUTH CHANGE_AUTHED_OWNER SELECT R EXECUTE # assign the Securty FD [ -d "/home/admins/security" ] && attr_set_file_dir DIR "/home/admins/security" rc_type_fd 1 [ -d "/security" ] && attr_set_file_dir DIR "/security" rc_type_fd 1 # to allow Security Role the admin Role for editing rc_set_item ROLE 1 admin_roles 0 1 rc_set_item ROLE 1 admin_roles 1 1 rc_set_item ROLE 1 admin_roles 2 1 rc_set_item ROLE 1 admin_roles 3 1 rc_set_item ROLE 1 admin_roles 4 1 rc_set_item ROLE 1 admin_roles 5 1 rc_set_item ROLE 1 admin_roles 6 1 rc_set_item ROLE 1 admin_roles 7 1 ################################################# # Executables # ################################################# # create executables fd, copy the General FD rc_copy_type FD 0 3 rc_set_item TYPE 3 type_fd_name "Executables" # allow General User to execute on this fd rc_set_item ROLE 0 type_comp_fd 3 UA rc_set_item ROLE 0 type_comp_fd 3 R EXECUTE MAP_EXEC # allow RootRole to exucute rc_set_item ROLE 5 type_comp_fd 3 UA rc_set_item ROLE 5 type_comp_fd 3 R EXECUTE MAP_EXEC # allow Security Role rc_set_item ROLE 1 type_comp_fd 3 UA rc_set_item ROLE 1 type_comp_fd 3 R MAP_EXEC EXECUTE ADMIN ASSIGN ACCESS_CONTROL SUPERVISOR MODIFY_AUTH CHANGE_AUTHED_OWNER SELECT # assign executables to directories attr_set_file_dir DIR "/bin" rc_type_fd 3 attr_set_file_dir DIR "/usr/bin" rc_type_fd 3 attr_set_file_dir DIR "/usr/local/bin" rc_type_fd 3 ################################################# # Libraries # ################################################# rc_set_item TYPE 4 type_fd_name "Libraries" # assign to directories [ -d "/lib" -a ! -L "/lib" ] && attr_set_file_dir DIR "/lib" rc_type_fd 4 [ -d "/lib64"] -a ! -L "/lib64" ] && attr_set_file_dir DIR "/lib64" rc_type_fd 4 [ -d "/usr/lib" -a ! -L "/usr/lib" ] && attr_set_file_dir DIR "/usr/lib" rc_type_fd 4 [ -d "/usr/lib64" -a ! -L "/usr/lib64" ] && attr_set_file_dir DIR "/usr/lib64" rc_type_fd 4 [ -d "/usr/local/lib" -a ! -L "/usr/local/lib" ] && attr_set_file_dir DIR "/usr/local/lib" rc_type_fd 4 [ -d "/usr/local/lib64" -a ! -L "/usr/local/lib64" ] && attr_set_file_dir DIR "/usr/local/lib64" rc_type_fd 4 # does not set it on var lib at the moment #attr_set_file_dir DIR "/var/lib" rc_type_fd 4 # allow General User to map rc_set_item ROLE 0 type_comp_fd 4 UA rc_set_item ROLE 0 type_comp_fd 4 R MAP_EXEC # allow Root Role to map rc_set_item ROLE 5 type_comp_fd 4 UA rc_set_item ROLE 5 type_comp_fd 4 R MAP_EXEC # allow Security Role to read, map_exec rc_set_item ROLE 1 type_comp_fd 4 UA rc_set_item ROLE 1 type_comp_fd 4 R MAP_EXEC # allow System Role to map rc_set_item ROLE 2 type_comp_fd 4 UA rc_set_item ROLE 2 type_comp_fd 4 R MAP_EXEC # allow Init Role to map rc_set_item ROLE 4 type_comp_fd 4 UA rc_set_item ROLE 4 type_comp_fd 4 R MAP_EXEC ################################################# # SysExecutables # ################################################# # create executables fd rc_copy_type FD 2 5 rc_set_item TYPE 5 type_fd_name "SysExecutables" # assign executables to directories attr_set_file_dir DIR "/sbin" rc_type_fd 5 attr_set_file_dir DIR "/usr/sbin" rc_type_fd 5 attr_set_file_dir DIR "/usr/local/sbin" rc_type_fd 5 # allow Root Role to map exec rc_set_item ROLE 5 type_comp_fd 5 UA rc_set_item ROLE 5 type_comp_fd 5 R EXECUTE MAP_EXEC # allow Security Role to map exec rc_set_item ROLE 1 type_comp_fd 5 UA rc_set_item ROLE 1 type_comp_fd 5 R EXECUTE MAP_EXEC ADMIN ASSIGN ACCESS_CONTROL SUPERVISOR MODIFY_AUTH CHANGE_AUTHED_OWNER SELECT ################################################# # InitScripts # ################################################# # create fd for /etc/init.d rc_copy_type FD 5 6 rc_set_item TYPE 6 type_fd_name "InitScripts" # assign to dir attr_set_file_dir DIR "/etc/init.d" rc_type_fd 6 # remove map_exec for RootRole rc_set_item ROLE 5 type_comp_fd 6 UA rc_set_item ROLE 5 type_comp_fd 6 R EXECUTE ################################################# # Configs # ################################################# # create fd for /etc rc_set_item TYPE 7 type_fd_name "Configs" # assign to dir attr_set_file_dir DIR "/etc" rc_type_fd 7 # allow General Role to search rc_set_item ROLE 0 type_comp_fd 7 UA rc_set_item ROLE 0 type_comp_fd 7 SEARCH # allow Security Role to read rc_set_item ROLE 1 type_comp_fd 7 UA rc_set_item ROLE 1 type_comp_fd 7 R # allow System Role to read rc_set_item ROLE 2 type_comp_fd 7 UA rc_set_item ROLE 2 type_comp_fd 7 R # allow Init Role to read rc_set_item ROLE 4 type_comp_fd 7 UA rc_set_item ROLE 4 type_comp_fd 7 R # allow Root Role to read rc_set_item ROLE 5 type_comp_fd 7 UA rc_set_item ROLE 5 type_comp_fd 7 R ################################################# # General User Configs # ################################################# # create fd for /etc/* to access rc_set_item TYPE 8 type_fd_name "ConfigsUser" # set Roles to fd rc_set_item ROLE 0 type_comp_fd 8 R rc_set_item ROLE 1 type_comp_fd 8 R rc_set_item ROLE 2 type_comp_fd 8 R rc_set_item ROLE 3 type_comp_fd 8 R rc_set_item ROLE 4 type_comp_fd 8 R rc_set_item ROLE 5 type_comp_fd 8 R # assign to files or dirs attr_set_file_dir FILE "/etc/localtime" rc_type_fd 8 attr_set_file_dir FILE "/etc/inputrc" rc_type_fd 8 attr_set_file_dir DIR "/etc/terminfo" rc_type_fd 8 attr_set_file_dir DIR "/etc/bash" rc_type_fd 8 attr_set_file_dir FILE "/etc/DIR_COLORS" rc_type_fd 8 attr_set_file_dir FILE "/etc/ld.so.cache" rc_type_fd 8 attr_set_file_dir FILE "/etc/profile.env" rc_type_fd 8 attr_set_file_dir FILE "/etc/profile" rc_type_fd 8 attr_set_file_dir FILE "/etc/nsswitch.conf" rc_type_fd 8 attr_set_file_dir FILE "/etc/passwd" rc_type_fd 8 ################################################# # Tmp fd # ################################################# # create fd, needed to not get General FD to much power at all rc_set_item TYPE 9 type_fd_name "TempDirs" # assign to tmpdirs [ -d "/tmpdir" ] && attr_set_file_dir DIR "/tmpdirs" rc_type_fd 9 # assign to tmp if temp redirect not used [ -d "/tmp" -a ! -L "/tmp" ] && attr_set_file_dir DIR "/tmp" rc_type_fd 9 # allow roles to use this fd rc_set_item ROLE 0 type_comp_fd 9 UA rc_set_item ROLE 0 type_comp_fd 9 RW rc_set_item ROLE 1 type_comp_fd 9 UA rc_set_item ROLE 1 type_comp_fd 9 RW rc_set_item ROLE 5 type_comp_fd 9 UA rc_set_item ROLE 5 type_comp_fd 9 RW ################################################# # HomeDir # ################################################# # split directories in /home in different fd types # i use /home/admins for admin users and /home/users for general users rc_set_item TYPE 10 type_fd_name "Home" # assign to home dir attr_set_file_dir DIR "/home" rc_type_fd 10 # allow admin Roles and General Role to read rc_set_item ROLE 1 type_comp_fd 10 UA rc_set_item ROLE 1 type_comp_fd 10 R rc_set_item ROLE 0 type_comp_fd 10 UA rc_set_item ROLE 0 type_comp_fd 10 R # create a fd type for admins rc_set_item TYPE 11 type_fd_name "HomeAdmin" # assign it [ -d "/home/admins" ] && attr_set_file_dir DIR "/home/admins" rc_type_fd 11 # allow Admin Roles to RW rc_set_item ROLE 1 type_comp_fd 11 UA rc_set_item ROLE 1 type_comp_fd 11 RW # create fd type for General users rc_set_item TYPE 12 type_fd_name "HomeUser" # assign it [ -d "/home/users" ] && attr_set_file_dir DIR "/home/users" rc_type_fd 12 # allow General Role to RW rc_set_item ROLE 0 type_comp_fd 12 UA rc_set_item ROLE 0 type_comp_fd 12 RW ################################################# # VarDir # ################################################# # split directories in /var in different fd types rc_set_item TYPE 13 type_fd_name "Var" # assign to dir attr_set_file_dir DIR "/var" rc_type_fd 13 # allow system roles to access to var rc_set_item ROLE 1 type_comp_fd 13 UA rc_set_item ROLE 1 type_comp_fd 13 R ## System Role rc_set_item ROLE 2 type_comp_fd 13 UA rc_set_item ROLE 2 type_comp_fd 13 R # Init Role rc_set_item ROLE 4 type_comp_fd 13 UA rc_set_item ROLE 4 type_comp_fd 13 R # Root Role rc_set_item ROLE 5 type_comp_fd 13 UA rc_set_item ROLE 5 type_comp_fd 13 R # Login Role rc_set_item ROLE 6 type_comp_fd 13 UA rc_set_item ROLE 6 type_comp_fd 13 R # SSHD Role rc_set_item ROLE 7 type_comp_fd 13 UA rc_set_item ROLE 7 type_comp_fd 13 R # the follow fd should work on must linux distribution # create fd for cache rc_set_item TYPE 14 type_fd_name "VarCache" # assign it attr_set_file_dir DIR "/var/cache" rc_type_fd 14 # create fd lib rc_set_item TYPE 15 type_fd_name "VarLib" # assign it attr_set_file_dir DIR "/var/lib" rc_type_fd 15 # create fd spool rc_set_item TYPE 16 type_fd_name "VarSpool" # assign it attr_set_file_dir DIR "/var/spool" rc_type_fd 16 # create fd /var/spool/mail rc_set_item TYPE 17 type_fd_name "VarSpoolMail" # assign it attr_set_file_dir DIR "/var/spool/mail" rc_type_fd 17 # allow the user roles to access rc_set_item ROLE 0 type_comp_fd 17 UA rc_set_item ROLE 0 type_comp_fd 17 RW rc_set_item ROLE 1 type_comp_fd 17 UA rc_set_item ROLE 1 type_comp_fd 17 RW rc_set_item ROLE 5 type_comp_fd 17 UA rc_set_item ROLE 5 type_comp_fd 17 RW # create fd /var/spool/cron rc_set_item TYPE 18 type_fd_name "VarSpoolCron" # assign it attr_set_file_dir DIR "/var/spool/cron" rc_type_fd 18 # allow the Root Role rc_set_item ROLE 5 type_comp_fd 18 UA rc_set_item ROLE 5 type_comp_fd 18 RW # create fd for /var/log rc_set_item TYPE 19 type_fd_name "VarLog" # assign it attr_set_file_dir DIR "/var/log" rc_type_fd 19 # allow the System Role to write rc_set_item ROLE 2 type_comp_fd 19 UA rc_set_item ROLE 2 type_comp_fd 19 W # allow the Root Role to read # needed for e.g tail -f /var/log/messages rc_set_item ROLE 5 type_comp_fd 19 UA rc_set_item ROLE 5 type_comp_fd 19 R # create fd for postfix rc_set_item TYPE 20 type_fd_name "VarSpoolPostfix" [ -d "/var/spool/postfix" ] && attr_set_file_dir DIR "/var/spool/postfix" rc_type_fd 20 # create fd for /var/run, on gentoo system now is a symlink # just keep it for backward compatibility rc_set_item TYPE 21 type_fd_name "VarRun" [ ! -L "/var/run" ] && attr_set_file_dir DIR "/var/run" rc_type_fd 21 attr_set_file_dir DIR "/run" rc_type_fd 21 # allow system roles to access to /run || /var/run rc_set_item ROLE 1 type_comp_fd 21 UA rc_set_item ROLE 1 type_comp_fd 21 R ################################################# # Dirs # ################################################# # create fd for /dev, /proc, /sys rc_set_item TYPE 22 type_fd_name "Sys" ################################################# # Login Role # ################################################# # rc_copy_role 0 6 rc_set_item ROLE 6 name "LoginRole" # assign role attr_set_file_dir FILE "/bin/login" rc_initial_role 6 # set inherit from user attr_set_file_dir FILE "/bin/login" rc_force_role 4294967295 ################################################# # Sshd Role # ################################################# # create rc_copy_role 0 7 rc_set_item ROLE 7 name "SshdRole" # set rc_set_item ROLE 7 type_comp_fd 7 UA rc_set_item ROLE 7 type_comp_fd 7 R attr_set_file_dir FILE "/usr/sbin/sshd" rc_initial_role 7 attr_set_file_dir FILE "/usr/sbin/sshd" rc_force_role 4294967295 # allow role to write to /var/log = fd 19 rc_set_item ROLE 7 type_comp_fd 19 UA rc_set_item ROLE 7 type_comp_fd 19 RW # allow role to read, write to /run || /var/run = fd 21 rc_set_item ROLE 7 type_comp_fd 21 UA rc_set_item ROLE 7 type_comp_fd 21 RW # allow role to read /usr/sbin = fd 5 rc_set_item ROLE 7 type_comp_fd 5 UA rc_set_item ROLE 7 type_comp_fd 5 R ################################################# # Syslog Role # ################################################# # create a logging Role, syslog-ng does not switch to unprivileged user # so not force role is need rc_copy_role 0 8 rc_set_item ROLE 8 name "SyslogRole" # assign it attr_set_file_dir FILE "/usr/sbin/syslog-ng" rc_initial_role 8 # allow SyslogRole to write on /var/log = fd 19 rc_set_item ROLE 8 type_comp_fd 19 UA rc_set_item ROLE 8 type_comp_fd 19 W CLOSE SEARCH GET_STATUS_DATA ################################################# # Cron Role # ################################################# # create a role for cron service rc_copy_role 0 9 rc_set_item ROLE 9 name "CronRole" # assign it attr_set_file_dir FILE "/usr/sbin/cron" rc_initial_role 9 ################################################# # Named Role # ################################################# # the named service run with user named so two roles necessary rc_copy_role 0 10 rc_copy_role 0 11 rc_set_item ROLE 10 name "NamedRole_I" rc_set_item ROLE 11 name "NamedRole_F" # assign it [ -e "/usr/sbin/named" ] && attr_set_file_dir FILE "/usr/sbin/named" rc_initial_role 10 [ -e "/usr/sbin/named" ] && attr_set_file_dir FILE "/usr/sbin/named" rc_force_role 11 # allow NamedRoleForce to write access to /var/log = fd 19 # optional GET_STATUS_DATA rc_set_item ROLE 11 type_comp_fd 19 UA rc_set_item ROLE 11 type_comp_fd 19 W GET_STATUS_DATA ################################################# # Squid Role # ################################################# # the squid service run with user named so two roles necessary rc_copy_role 0 12 rc_copy_role 0 13 rc_set_item ROLE 12 name "SquidRole_I" rc_set_item ROLE 13 name "SquidRole_F" # assign it [ -e "/usr/sbin/squid" ] && attr_set_file_dir FILE "/usr/sbin/squid" rc_initial_role 12 [ -e "/usr/sbin/squid" ] && attr_set_file_dir FILE "/usr/sbin/squid" rc_force_role 13 # allow SquidRoleForce to read write access to /var/cache = fd 14 rc_set_item ROLE 13 type_comp_fd 14 UA rc_set_item ROLE 13 type_comp_fd 14 RW ################################################# # Vnstat Role # ################################################# # the vnstatd service run with user named so two roles necessary rc_copy_role 0 14 rc_copy_role 0 15 rc_set_item ROLE 14 name "VnstatdRole_I" rc_set_item ROLE 15 name "VnstatdRole_F" # assign it [ -e "/usr/bin/vnstatd" ] && attr_set_file_dir FILE "/usr/bin/vnstatd" rc_initial_role 14 [ -e "/usr/bin/vnstatd" ] && attr_set_file_dir FILE "/usr/bin/vnstatd" rc_force_role 15 # allwo VnstatdRoleInital to read /etc = fd 7 rc_set_item ROLE 14 type_comp_fd 7 UA rc_set_item ROLE 14 type_comp_fd 7 R # allow VnstatdRoleInital to read, write on /var/lib = fd 15 rc_set_item ROLE 14 type_comp_fd 15 UA rc_set_item ROLE 14 type_comp_fd 15 RW ################################################# # Rklog Role # ################################################# # when the rklogd is in use rc_set_item ROLE 16 name "RklogdRole_I" rc_set_item ROLE 17 name "RklogdRole_F" # assign it [ -e "/usr/sbin/rklogd" ] && attr_set_file_dir FILE "/usr/sbin/rklogd" rc_initial_role 16 [ -e "/usr/sbin/rklogd" ] && attr_set_file_dir FILE "/usr/sbin/rklogd" rc_force_role 17 # allow to write on /home/admin/security = fd 1 rc_set_item ROLE 17 type_comp_fd 1 UA rc_set_item ROLE 17 type_comp_fd 1 W # on/ /etc rc_set_item ROLE 17 type_comp_fd 7 UA rc_set_item ROLE 17 type_comp_fd 7 R rc_set_item ROLE 17 type_comp_fd 8 UA rc_set_item ROLE 17 type_comp_fd 8 R # allow to GET_STATUS_DATA on scd type 9 (rsbac_log) rc_set_item ROLE 17 type_comp_scd 9 UA rc_set_item ROLE 17 type_comp_scd 9 GET_STATUS_DATA # optional search rights on fd 0 rc_set_item ROLE 17 type_comp_fd 0 UA rc_set_item ROLE 17 type_comp_fd 0 SEARCH ################################################# # Mail Role # ################################################# # this is for postfix rc_set_item ROLE 18 name "MailRole_I" rc_set_item ROLE 19 name "MailRole_F" # assign it [ -e "/usr/sbin/postfix" ] && attr_set_file_dir FILE "/usr/sbin/postfix" rc_initial_role 18 [ -e "/usr/sbin/postfix" ] && attr_set_file_dir FILE "/usr/sbin/postfix" rc_force_role 19 # on gentoo system set this roles also on /usr/libexec/postfix [ -d "/usr/libexec/postfix" ] && { for i in $(ls /usr/libexec/postfix); do if [ -x "/usr/libexec/postfix/$i" ] ; then attr_set_file_dir FILE "/usr/libexec/postfix/$i" rc_initial_role 18 attr_set_file_dir FILE "/usr/libexec/postfix/$i" rc_force_role 19 fi done } # allow read,write to access /var/spool/postfix = fd 20 rc_set_item ROLE 19 type_comp_fd 20 UA rc_set_item ROLE 19 type_comp_fd 20 RW ################################################# # Nfs Role # ################################################# # stuff for nfs rc_set_item ROLE 20 name "NfsRole" # assign it [ -e "/sbin/rcpbind" ] && attr_set_file_dir FILE "/sbin/rpcbind" rc_initial_role 20 [ -e "/sbin/rpc.statd" ] && attr_set_file_dir FILE "/sbin/rpc.statd" rc_initial_role 20 [ -e "/usr/sbin/rpc.idmapd" ] && attr_set_file_dir FILE "/usr/sbin/rpc.idmapd" rc_initial_role 20 [ -e "/usr/sbin/rpc.mountd" ] && attr_set_file_dir FILE "/usr/sbin/rpc.mountd" rc_initial_role 20 [ -e "/usr/sbin/rpc.nfsd" ] && attr_set_file_dir FILE "/usr/sbin/rpc.nfsd" rc_initial_role 20 ################################################# # Clamd Role # ################################################# # when using clamd with dazuko no force role is used rc_copy_role 0 21 rc_set_item ROLE 21 name "ClamdRole" # assign it [ -e "/usr/sbin/clamd" ] && attr_set_file_dir FILE "/usr/sbin/clamd" rc_initial_role 21 # allow read /var/libg = fd 15 rc_set_item ROLE 21 type_comp_fd 15 UA rc_set_item ROLE 21 type_comp_fd 15 R # allow write to /var/log = fd 19 rc_set_item ROLE 21 type_comp_fd 19 UA # optional set serach get status data rc_set_item ROLE 21 type_comp_fd 19 W SEARCH GET_STATUS_DATA # allow read to security fd 1 # better solution when using syslog-ng for rsbac logging rc_set_item ROLE 21 type_comp_fd 1 UA rc_set_item ROLE 21 type_comp_fd 1 R ################################################# # FreshClam Role # ################################################# rc_set_item ROLE 22 name "FreshclamRole" # assign it [ -e "/usr/bin/freshclam" ] && attr_set_file_dir FILE "/usr/bin/freshclam" rc_initial_role 22