[rsbac] restricting network access
Andreas Baetz
lac01 at web.de
Wed Dec 17 09:00:18 CET 2003
I want to restrict the browser to only to be able to connect to port 80 of any server and doing dns queries.
So I did the following:
- created a role "browser"
- created a network object "browser_NO"
- created a network template definition "tcp_80" with
address family INET
socket type ANY
address 0.0.0.0
valid legth 0
protocol TCP
min port 80
max port 80
- set the network temp attributes of "tcp_80":
RC Type browser_NO
RC Type NT General NETTEMP
- created a network template definition "udp_53" with
address family INET
socket type ANY
address 0.0.0.0
valid legth 0
protocol UDP
min port 53
max port 53
- set the network temp attributes of "udp_53":
RC Type browser_NO
RC Type NT General NETTEMP
- set the Type comp NETOBJ for Role "browser"
General_NETOBJ unset all
browser_NO set Read-Write-R.
When i enter an URL into the browser, it does not work, and there comes a logging entry like:
Dec 17 08:45:16 kernel: rsbac_adf_request(): request SEND, pid 14793, ppid 14791,
prog_name MozillaFirebird, uid xxx, target_type NETOBJ, tid dfd77e34
INET DGRAM proto UDP local eth0:(local_address):34976 remote (DNS-Server):13568, attr , value 0, result NOT_GRANTED by RC
Why is that ? What does it do with port 13568 of the dns server ?
If I open General_NETOBJ and sniff the netowrk, it works and there is only UDP traffic to port 53 of the dns Server.
Andreas Baetz
More information about the rsbac
mailing list