[rsbac] prohibit tcpip connects with ACL - why don't works?

Amon Ott ao at rsbac.org
Mon Sep 22 11:14:39 MEST 2003 

On Saturday 20 September 2003 16:49, Pallai Roland wrote:
>  I would like to prohibit tcpip connects to a specific IP for every user
> (except one), but it's doesn't works and I've no idea why. The deny
> works with the RC model, so the template configuration seems like ok.
> 
>  If I take the connect right on NETOBJ (with ACL), every connect will be
> denied.
>  Btw, not clear what's the relation between NETOBJ and NETTEMP's in the
> ACL model, can you explain it for me, please?

In ACL, you can specify ACLs for both templates and single NETOBJs. The ACL 
at the NETTEMP target provides the default ACL for the single NETOBJ, like 
the :DEFAULT: ACL does it e.g. for FD objects.

The templates themselves have their own ACL for administration, this is 
addressed through the NETTEMP_NT target.

I will leave out the NETLINk stuff.

> my current config:
> 
> secoff at xxx:~$ net_temp -a -b

> # here's that ip
> net_temp -V 66050 new_template 100100 "noconnect"
> net_temp -V 66050 set_address_family 100100 INET
> net_temp -V 66050 set_type 100100 ANY
> net_temp -V 66050 set_address 100100 192.168.0.200
> net_temp -V 66050 set_valid_len 100100 32
> net_temp -V 66050 set_protocol 100100 ANY
> net_temp -V 66050 set_netdev 100100 ""
> net_temp -V 66050 set_min_port 100100 0
> net_temp -V 66050 set_max_port 100100 65535

Looks fine.

> secoff at xxx:~$ acl_tlist -br NETTEMP `net_temp list_temp_nr`
> # RW right for sysadm
> acl_grant -V 66050 -vsb ROLE 2 
000000011111110010000000000000010000000000110000000 NETTEMP "100100"

So you take the System Admin role as subject, what should work. You could try 
user 0 here as subject for testing.

So you set all necessary rights for role 2, and now comes the mask:

> secoff at xxx:~$ acl_mask -b NETTEMP `net_temp list_temp_nr`
> # CLOSE may be inherited
> acl_mask -V 66050 -sv 000000000000000000000000000000000000000000010000000 
NETTEMP "100100"

Do you really want to filter out all rights except CLOSE?

> secoff at xxx:~$ acl_tlist -br NETOBJ :DEFAULT:
> acl_grant -V 66050 -vsb USER 0 
000000011111110010000000000000110000000000110000000 NETOBJ ":DEFAULT:"
> acl_grant -V 66050 -vsb USER 400 
111000011111110010000000000000110001000000110000000 NETOBJ ":DEFAULT:"
> acl_grant -V 66050 -vsb GROUP 0 
000000011111110010000000000000010000000000110000000 NETOBJ ":DEFAULT:"

This should not have any effect on the target template, because you filter 
the rights out.

The setup looks OK. Could you please try with another ACL entry at the 
template 100100 for user 0? There might be a lurking bug related to role 
rights.

Please also try the acl_rights command to get the system's opinion about 
existing rights, and maybe a "Who has rights here?" from the rsbac_acl_menu 
on the template.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list