[rsbac] prohibit tcpip connects with ACL - why don't works?
Pallai Roland
dap at mail.index.hu
Mon Sep 22 10:21:34 MEST 2003
hi,
I would like to prohibit tcpip connects to a specific IP for every user
(except one), but it's doesn't works and I've no idea why. The deny
works with the RC model, so the template configuration seems like ok.
If I take the connect right on NETOBJ (with ACL), every connect will be
denied.
Btw, not clear what's the relation between NETOBJ and NETTEMP's in the
ACL model, can you explain it for me, please?
my current config:
secoff at xxx:~$ net_temp -a -b
net_temp -V 66050 new_template 100010 "AF_UNIX"
net_temp -V 66050 set_address_family 100010 UNIX
net_temp -V 66050 set_type 100010 ANY
net_temp -V 66050 -u set_address 100010 ""
net_temp -V 66050 set_valid_len 100010 0
net_temp -V 66050 set_protocol 100010 ANY
net_temp -V 66050 set_netdev 100010 ""
net_temp -V 66050 set_min_port 100010 0
net_temp -V 66050 set_max_port 100010 0
net_temp -V 66050 new_template 100099 "AF_INET_127"
net_temp -V 66050 set_address_family 100099 INET
net_temp -V 66050 set_type 100099 ANY
net_temp -V 66050 set_address 100099 127.0.0.1
net_temp -V 66050 set_valid_len 100099 32
net_temp -V 66050 set_protocol 100099 ANY
net_temp -V 66050 set_netdev 100099 ""
net_temp -V 66050 set_min_port 100099 0
net_temp -V 66050 set_max_port 100099 65535
# here's that ip
net_temp -V 66050 new_template 100100 "noconnect"
net_temp -V 66050 set_address_family 100100 INET
net_temp -V 66050 set_type 100100 ANY
net_temp -V 66050 set_address 100100 192.168.0.200
net_temp -V 66050 set_valid_len 100100 32
net_temp -V 66050 set_protocol 100100 ANY
net_temp -V 66050 set_netdev 100100 ""
net_temp -V 66050 set_min_port 100100 0
net_temp -V 66050 set_max_port 100100 65535
net_temp -V 66050 new_template 100105 "Auto-IPv4"
net_temp -V 66050 set_address_family 100105 INET
net_temp -V 66050 set_type 100105 ANY
net_temp -V 66050 set_address 100105 0.0.0.0
net_temp -V 66050 set_valid_len 100105 32
net_temp -V 66050 set_protocol 100105 ANY
net_temp -V 66050 set_netdev 100105 ""
net_temp -V 66050 set_min_port 100105 0
net_temp -V 66050 set_max_port 100105 65535
net_temp -V 66050 new_template 100200 "AF_NETLINK"
net_temp -V 66050 set_address_family 100200 NETLINK
net_temp -V 66050 set_type 100200 ANY
net_temp -V 66050 set_valid_len 100200 0
net_temp -V 66050 set_protocol 100200 ANY
net_temp -V 66050 set_netdev 100200 ""
net_temp -V 66050 set_min_port 100200 0
net_temp -V 66050 set_max_port 100200 0
net_temp -V 66050 new_template 4294967295 "ALL"
net_temp -V 66050 set_address_family 4294967295 ANY
net_temp -V 66050 set_type 4294967295 ANY
net_temp -V 66050 set_valid_len 4294967295 0
net_temp -V 66050 set_protocol 4294967295 ANY
net_temp -V 66050 set_netdev 4294967295 ""
net_temp -V 66050 set_min_port 4294967295 0
net_temp -V 66050 set_max_port 4294967295 65535
secoff at xxx:~$ acl_tlist -br NETTEMP `net_temp list_temp_nr`
# RW right for sysadm
acl_grant -V 66050 -vsb ROLE 2 000000011111110010000000000000010000000000110000000 NETTEMP "100100"
acl_grant -V 66050 -vsb ROLE 2 000000011111110010000000000000010000000000110000000 NETTEMP "100200"
secoff at xxx:~$ acl_mask -b NETTEMP `net_temp list_temp_nr`
# CLOSE may be inherited
acl_mask -V 66050 -sv 000000000000000000000000000000000000000000010000000 NETTEMP "100100"
acl_mask -V 66050 -sv 000000000000000000000000000000000000000000000000000 NETTEMP "100200"
acl_mask -V 66050 -sv 100000011111110010000000000000110001000000110000000 NETTEMP "4294967295"
secoff at xxx:~$ acl_tlist -br NETOBJ :DEFAULT:
acl_grant -V 66050 -vsb USER 0 000000011111110010000000000000110000000000110000000 NETOBJ ":DEFAULT:"
acl_grant -V 66050 -vsb USER 400 111000011111110010000000000000110001000000110000000 NETOBJ ":DEFAULT:"
acl_grant -V 66050 -vsb GROUP 0 000000011111110010000000000000010000000000110000000 NETOBJ ":DEFAULT:"
rsbac 1.2.2 with kernel 2.4.22
thanks in advice,
--
DaP
More information about the rsbac
mailing list