[rsbac] prohibit tcpip connects with ACL - why don't works?
Amon Ott
ao at rsbac.org
Mon Sep 22 11:14:39 MEST 2003
On Saturday 20 September 2003 16:49, Pallai Roland wrote:
> I would like to prohibit tcpip connects to a specific IP for every user
> (except one), but it's doesn't works and I've no idea why. The deny
> works with the RC model, so the template configuration seems like ok.
>
> If I take the connect right on NETOBJ (with ACL), every connect will be
> denied.
> Btw, not clear what's the relation between NETOBJ and NETTEMP's in the
> ACL model, can you explain it for me, please?
In ACL, you can specify ACLs for both templates and single NETOBJs. The ACL
at the NETTEMP target provides the default ACL for the single NETOBJ, like
the :DEFAULT: ACL does it e.g. for FD objects.
The templates themselves have their own ACL for administration, this is
addressed through the NETTEMP_NT target.
I will leave out the NETLINk stuff.
> my current config:
>
> secoff at xxx:~$ net_temp -a -b
> # here's that ip
> net_temp -V 66050 new_template 100100 "noconnect"
> net_temp -V 66050 set_address_family 100100 INET
> net_temp -V 66050 set_type 100100 ANY
> net_temp -V 66050 set_address 100100 192.168.0.200
> net_temp -V 66050 set_valid_len 100100 32
> net_temp -V 66050 set_protocol 100100 ANY
> net_temp -V 66050 set_netdev 100100 ""
> net_temp -V 66050 set_min_port 100100 0
> net_temp -V 66050 set_max_port 100100 65535
Looks fine.
> secoff at xxx:~$ acl_tlist -br NETTEMP `net_temp list_temp_nr`
> # RW right for sysadm
> acl_grant -V 66050 -vsb ROLE 2
000000011111110010000000000000010000000000110000000 NETTEMP "100100"
So you take the System Admin role as subject, what should work. You could try
user 0 here as subject for testing.
So you set all necessary rights for role 2, and now comes the mask:
> secoff at xxx:~$ acl_mask -b NETTEMP `net_temp list_temp_nr`
> # CLOSE may be inherited
> acl_mask -V 66050 -sv 000000000000000000000000000000000000000000010000000
NETTEMP "100100"
Do you really want to filter out all rights except CLOSE?
> secoff at xxx:~$ acl_tlist -br NETOBJ :DEFAULT:
> acl_grant -V 66050 -vsb USER 0
000000011111110010000000000000110000000000110000000 NETOBJ ":DEFAULT:"
> acl_grant -V 66050 -vsb USER 400
111000011111110010000000000000110001000000110000000 NETOBJ ":DEFAULT:"
> acl_grant -V 66050 -vsb GROUP 0
000000011111110010000000000000010000000000110000000 NETOBJ ":DEFAULT:"
This should not have any effect on the target template, because you filter
the rights out.
The setup looks OK. Could you please try with another ACL entry at the
template 100100 for user 0? There might be a lurking bug related to role
rights.
Please also try the acl_rights command to get the system's opinion about
existing rights, and maybe a "Who has rights here?" from the rsbac_acl_menu
on the template.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list