Access Domain Groups - example

This document lists a set of filesystem access domain groups, their elements, and their members that is in place on our test machine. This will certainly be enough to get you going. Once you have come to grips with the filesystem access domain model you will be able to easily extend the configuration to meet any additional requirements your software/hardvare environment imposes.

Firstly, concentrate on the 'Elements' section of listing for each of the filesystem access domain groups.

To create an access domain group use: adadm -G -c <group_no>

To add elements to an filesystem access domain group use: adadm -G -a <group_no> FLAG <path_to_file> (if the FLAG=0 in the listings, as it is, use NONE flag).

Now, we take into consideration the 'Members' section in order to configure members of the above created filesystem access domain groups.

To make a file member of a group use: adadm -F -a <path_to_file> FLAG <group_no> (wherever you see (RW) next to the file in the 'Members' section of the desired group use rw FLAG when using the tool, otherwise use ro FLAG).

N.B. Filesystem access domain groups 0 and 1 have no 'Members' section as they are the default rw and ro filesystem access domain groups respectively.

To view filesystem access domain membership info for a file use: adadm -F -v <path_to_file>

Access domain group 0 (5 elements)

Elements:
/proc                          [3/1] FLAG=0
/dev                           [2050/325761] FLAG=0
/dev/pts                       [8/1] FLAG=0
/tmp                           [2050/1628802] FLAG=0
/var/tmp                       [2050/781826] FLAG=0


Access domain group 1 (13 elements)

Elements:
/etc                           [2050/1791682] FLAG=0
/lib                           [2050/1726530] FLAG=0
/bin                           [2050/1335618] FLAG=0
/usr/bin                       [2050/521217] FLAG=0
/usr/local/bin                 [2050/618945] FLAG=0
/sbin                          [2050/1531074] FLAG=0
/usr/sbin                      [2050/2182593] FLAG=0
/usr/local/sbin                [2050/1531073] FLAG=0
/usr/X11R6/bin                 [2050/2378049] FLAG=0
/usr/lib                       [2050/553793] FLAG=0
/usr/share                     [2050/2215169] FLAG=0
/usr/include                   [2050/684098] FLAG=0
/usr/src/linsec/include        [2050/1107718] FLAG=0


Access domain group 2 (1 element)

Elements:
/var/run                       [2050/1270466] FLAG=0

Members (9):
/usr/sbin/syslogd              (RW)
/usr/sbin/klogd                (RW)
/usr/sbin/inetd                (RW)
/usr/sbin/sshd                 (RW)
/bin/login                     (RW)
/sbin/shutdown                 (RW)
/sbin/halt                     (RW)
/usr/bin/w                     (RO)
/sbin/agetty                   (RW)


Access domain group 3 (1 element)

Elements:
/var/log                       [2050/130305] FLAG=0

Members (3):
/usr/sbin/syslogd              (RW)
/sbin/halt                     (RW)
/sbin/agetty                   (RW)


Access domain group 4 (1 element)

Elements:
/                              [2050/2] FLAG=0

Members (2):
/bin/umount                    (RW)
/sbin/halt                     (RW)


Access domain group 5 (1 element)

Elements:
/dev                           [2050/325761] FLAG=0

Member (1):
/bin/umount                    (RW)


Access domain group 6 (1 element)

Elements:
/etc                           [2050/1791682] FLAG=0

Members (2):
/sbin/hwclock                  (RW)
/bin/dd                        (RW)