grsecurity forums


https://forums.grsecurity.net/

IP Acls?

https://forums.grsecurity.net/viewtopic.php?f=5&t=1848

Page 1 of 1

IP Acls?

PostPosted: Sun Nov 25, 2007 7:10 pm
by ralphy
I was wondering if it's possible (and if so, how?) to make a ruleset in the policy that allows only people in a specified GID to bind to an interface. For instance, users in group "users" allowed access to 198.168.1.100 while being denied the ability to use 192.168.1.101 unless they're in a group a special group, in which case they have access to both IPs. Is this possible?

Re: IP Acls?

PostPosted: Wed Jun 25, 2008 2:25 pm
by cookiemonster
ralphy wrote:I was wondering if it's possible (and if so, how?) to make a ruleset in the policy that allows only people in a specified GID to bind to an interface. For instance, users in group "users" allowed access to 198.168.1.100 while being denied the ability to use 192.168.1.101 unless they're in a group a special group, in which case they have access to both IPs. Is this possible?


ralphy: you can do this through roles, your users would have to gradm to a special role where they will be allowed access. The notion of groups and users, I doubt you can do that.

Re: IP Acls?

PostPosted: Thu Jun 26, 2008 12:50 pm
by spender
Make a group role, and in each subject in that role, make sure that your bind rules only allow binding to the specific IP you mentioned. Remember that the RBAC system supports virtual interface support as well (as described in the sample policy)

-Brad
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/