IP Acls?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

IP Acls?

Postby ralphy » Sun Nov 25, 2007 7:10 pm

I was wondering if it's possible (and if so, how?) to make a ruleset in the policy that allows only people in a specified GID to bind to an interface. For instance, users in group "users" allowed access to 198.168.1.100 while being denied the ability to use 192.168.1.101 unless they're in a group a special group, in which case they have access to both IPs. Is this possible?
ralphy
 
Posts: 52
Joined: Wed Jan 11, 2006 12:51 pm

Re: IP Acls?

Postby cookiemonster » Wed Jun 25, 2008 2:25 pm

ralphy wrote:I was wondering if it's possible (and if so, how?) to make a ruleset in the policy that allows only people in a specified GID to bind to an interface. For instance, users in group "users" allowed access to 198.168.1.100 while being denied the ability to use 192.168.1.101 unless they're in a group a special group, in which case they have access to both IPs. Is this possible?


ralphy: you can do this through roles, your users would have to gradm to a special role where they will be allowed access. The notion of groups and users, I doubt you can do that.
cookiemonster
 
Posts: 8
Joined: Wed Jun 25, 2008 1:15 pm

Re: IP Acls?

Postby spender » Thu Jun 26, 2008 12:50 pm

Make a group role, and in each subject in that role, make sure that your bind rules only allow binding to the specific IP you mentioned. Remember that the RBAC system supports virtual interface support as well (as described in the sample policy)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron