The RSBAC reference manual

Amon Ott

Stanislav Ievlev

Heinrich W. Klöpping

Audience: This book is intended for use by experienced and skilled Unix professionals that wish to install, configure and use RSBAC.

Approach: This book resulted from a project founded on June 28th, 2002 by Amon Ott, Stanislav Ievlev and Henk Klöpping. We aimed at providing a reference manual for users of Rule Set Based Access control (RSBAC), in which every command or configuration item has been listed and explained. This book will be accompanied by four other books: The RSBAC cookbook, The RSBAC programmers cookbook, The RSBAC programmers reference manual and The RSBAC introduction.

To learn where the latest version of this book can be downloaded or read please refer to Section 6.2 in The RSBAC introduction.

Sources: Our sources of information were (Open Source) material on the Internet, several books, practical experience of the authors and others and research and programming work done by the authors. We try to give credit where due, but are fallible. We apologize.


While every precaution was made in the preparation of this book, we can assume no responsibility for errors or omissions. When you feel we have not given you proper credit or feel we may have violated your rights or when you have suggestions how we may improve our work please notify us immediately so we can take corrective actions.

Organization of this book: This book has been organised in four parts:

  1. part I - RSBAC theory

  2. part II - RSBAC manual pages

  3. part III - TBW

  4. part IV - TBW

This book was written using the DocBook V3.1/SGML documentation standard.

Copyright © 2003 Amon Ott, Stanislav Ievlev, Henk Klöpping. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".



And I said, "You can stop if you want with the Z
Because most people stop with the Z - but not me!
In the places that I go there are things that I see
That I never could spell if I stopped with the Z.
I'm telling you this because you're one of my friends
My alphabet starts where your alphabet ends!

You'll be sort of surprised what there is to be found
Once you go beyond Z and start poking around"

--Dr Seuss On Beyond Zebra 

Table of Contents
I. RSBAC theory
1. Introduction
1.1. Introduction
2. RSBAC Models
2.1. Mandatory Access Control (MAC)
2.2. Functional Control (FC)
2.3. Security Information Modification (SIM)
2.4. Simone Fischer-Huebner's Privacy Model (PM)
2.5. Malware Scan (MS)
2.6. File Flags (FF)
2.7. Role Compatibility (RC)
2.8. Authentification Module (AUTH)
2.9. Access Control Lists Module (ACL)
2.10. Linux Capabilities (CAP)
2.11. JAIL
3. RSBAC Targets and requests
3.1. Targets
3.2. Requests
II. Part II: RSBAC manual pages
4. RSBAC Manual pages
4.1. RSBAC manual pages
A. GNU Free Documentation License
List of Tables
2-1. Request Condition for access
2-2. FF rights
2-3. RC Role entry fields
2-4. RC Role special values
2-5. RC Type special values
2-6. RC Role entry fields
2-7. RC Role special values
2-8. RC Type special values
3-1. RSBAC targets
3-2. RSBAC SCD Targets
3-3. RSBAC Requests
List of Figures
2-1. Illegal information flow in Bell-La Padula model.
List of Examples
2-1. Preventing a group of files against reading
2-2. Create a group of append-only files
2-3. Preventing execution of files from a directory
2-4. Prevent moving of a directory