[rsbac] RC Boot Role

Amon Ott ao at rsbac.org
Thu Jan 26 08:46:24 CET 2006

On Mittwoch 25 Januar 2006 20:16, Chirag Pandya wrote:
> I'm trying to understand the "RC Boot Role" more carefully so that I
> can prevent root from adding/editing init scripts.
> Here is my understanding so far:
> 1.  Set /etc/init.d type to something other than 2 (System Admin). 
> Let's say I set it to type 999999
> 2.  Allow ROLE 999999 to read and run objects of type 999999
> 3.  Set ROLE 2's compatibility with type 999999 to include no 
WRITE/EDIT rights.
> 4.  Set boot_role = 1 for ROLE 999999 and boot_role = 0 for ROLE 2.
> Is this the intended use of this role?

Yes, this is a way to do it. I usually have a separate force_role 
"system init" at /etc/init.d/rc, too, to make sure that the start 
scripts do not use the boot role - this way, only kernel threads and 
init have the boot role.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list