[rsbac] Help for NETxxx and CAPABILITIES

Amon Ott rsbac@rsbac.org
Fri Apr 19 10:19:01 2002 

On Friday, 19. April 2002 08:44, ghorvath@minolta.hu wrote:
> But till now I am unable to do the following:
> I made a usual RC role and types for bind. From the file ACL side it works
> quite well, but I had to give permissions to GENERAL_NETOBJ and I do not
> want to do it. I didn't know how to tell Named_RC_Role to use my
> Named_NETOBJ.
>
> To summarize it my goal is to not let use any other CAPs that is necessary
> for it (just CAP_SETUID, CAP_SETGID, CAP_SYS_CHROOT,..) and restrict it to
> use only specified interfaces and of course let it only bind to 53 and 953
> ports.

First of all, set the necessary CAPs on the named binary as minimum (if 
started as non-root) or as maximum (if started as root). If you start as 
normal user, you can even get rid of SETUID and SETGID (although AUTH module 
restricts setuid that anyway).

You need to define network templates for your local bindings and, if you need 
to, for the remote clients. E.g. define local caps:
Number: 100
Name: Local53-1
Family: INET
Proto: ANY (to cover both udp and tcp)
Address: <your first bind address>
Min and Max Port: 53

Number: 101
Name: Local53-2
Family: INET
Proto: ANY (to cover both udp and tcp)
Address: <your first bind address>
Min and Max Port: 953

...and so on.

One possible remote CAP is already predefined as INET. Please note that your 
local net with other rights should be defined in a template with a lower 
number, so that the general template does not get used for it.

Now define an RC NETOBJ type, give named role rights BIND, LISTEN, 
NET_SHUTDOWN and CLOSE to it and assign it to the new local templates.

Bind role will also need CREATE on NETOBJ type 0 (to create a socket) and 
SEND, RECEIVE, ACCEPT, READ, WRITE on the remote client template's type (0 by 
default).

If no other role gets BIND on the local bind type, only named role will be 
able to serve on these ports.

> PLEASE if someone could write a short example for the above one, I could
> appreciate it. And I also think it would be great to have such an
> information among the docus. (Now the menu driven would be great but I
> used to use scripts for the tasks so perhaps those would also be useful).

All this will be documented in more detail and with examples soon. If you 
entered the templates in the menu, you can simply use the net_temp backup to 
get a script.

Amon.
--
http://www.rsbac.org