RSBAC restricts access by subjects to objects. The subjects are always processes, acting on behalf of a user with certain attributes, like system_role etc. Objects in RSBAC are called (Access) Targets. They are grouped in Target Types. The following types are defined:
Table 3-1. RSBAC targets
| Type | Comment |
|---|---|
| FILE | Files, including device special files. Identified by device and inode number. |
| DIR | Directories, identified by device and inode number. |
| FIFO | (new in v1.1.1) FIFO special files |
| DEV | Devices, identified by type (char or block), major and minor number |
| IPC | InterProcess Communication: Semaphores (sem), Messages (msg), Shared Memory shm), Sockets (sock) and FiFo (fifo, removed in 1.1.1). |
| SCD | System Control Data: Objects affecting the whole system. This target type is the only one with a fixed number of objects, identified by number (see Table 3-2>). |
| USER | Users as objects, mostly for access control information (ACI). |
| PROCESS | Processes as objects. |
| NETDEV | Network Device, identified by name. |
| NETTEMP | Network Template, identified by index number. Access control: access to template itself, RC Administration: access to values/settings for both template and NETOBJ, ACL administration: Default ACLs for NETOBJ. |
| NETOBJ | Network Object, identified by internal pointer to struct socket. Attribute values mostly inherited from NETTEMP settings. |
| NETTEMP_NT | ACL administration only, ACL entries for NETTEMP objects themselves. |
| NONE | No object associated with this request. In some models (RC, ACL) this is internally changed into SCD target "other". |
| FD | (Only in user space): Let the command line tool decide between types FILE and DIR |
System Control Data (SCD) targets are these:
Table 3-2. RSBAC SCD Targets
| Type | Comment |
|---|---|
| time_strucs | System timer |
| clock | System time and date |
| host_id | Host name |
| net_id | Domain name |
| ioports | Access Control for direct hardware access |
| rlimit | Setting process resource limits |
| swap | Control of swapping |
| syslog | System log |
| rsbac | RSBAC data in /proc |
| rsbaclog | RSBAC own log |
| kmem | Direct access to kernel memory via proc or device |
| other | MODIFY_SYSTEM_DATA for sysctl, otherwise only internal in RC and ACL: Substitute for target NONE. |
| auth_administration | (only in RC and ACL) AUTH model administration |
| network | General networking, like routing, arp etc. (Devices are protected as NETDEV targets!). |
| firewall | Firewall settings, packet filter etc. |