Chapter 3. RSBAC Targets and requests

3.1. Targets

RSBAC restricts access by subjects to objects. The subjects are always processes, acting on behalf of a user with certain attributes, like system_role etc. Objects in RSBAC are called (Access) Targets. They are grouped in Target Types. The following types are defined:

Table 3-1. RSBAC targets

FILEFiles, including device special files. Identified by device and inode number.
DIRDirectories, identified by device and inode number.
FIFO(new in v1.1.1) FIFO special files
DEVDevices, identified by type (char or block), major and minor number
IPC InterProcess Communication: Semaphores (sem), Messages (msg), Shared Memory shm), Sockets (sock) and FiFo (fifo, removed in 1.1.1).
SCD System Control Data: Objects affecting the whole system. This target type is the only one with a fixed number of objects, identified by number (see Table 3-2>).
USERUsers as objects, mostly for access control information (ACI).
PROCESSProcesses as objects.
NETDEVNetwork Device, identified by name.
NETTEMP Network Template, identified by index number. Access control: access to template itself, RC Administration: access to values/settings for both template and NETOBJ, ACL administration: Default ACLs for NETOBJ.
NETOBJ Network Object, identified by internal pointer to struct socket. Attribute values mostly inherited from NETTEMP settings.
NETTEMP_NTACL administration only, ACL entries for NETTEMP objects themselves.
NONE No object associated with this request. In some models (RC, ACL) this is internally changed into SCD target "other".
FD (Only in user space): Let the command line tool decide between types FILE and DIR

System Control Data (SCD) targets are these:

Table 3-2. RSBAC SCD Targets

time_strucsSystem timer
clockSystem time and date
host_idHost name
net_idDomain name
ioportsAccess Control for direct hardware access
rlimitSetting process resource limits
swapControl of swapping
syslogSystem log
rsbacRSBAC data in /proc
rsbaclogRSBAC own log
kmemDirect access to kernel memory via proc or device
other MODIFY_SYSTEM_DATA for sysctl, otherwise only internal in RC and ACL: Substitute for target NONE.
auth_administration(only in RC and ACL) AUTH model administration
network General networking, like routing, arp etc. (Devices are protected as NETDEV targets!).
firewallFirewall settings, packet filter etc.