[rsbac] How to limit network access

Thomas Mueller news-exp-jun04 at tmueller.com
Mon Apr 19 10:41:39 CEST 2004


I tried to follow http://zhware.ath.cx/cgi-bin/oswiki.cgi/ApacheRsbacRc to
restrict the network access of my Apache. Unfortunately Apache can still
bind to any port, not only 80. 

I'm sure it's my fault but I don't see what's wrong :-( That's what I did:

net_temp -V 66051 new_template 20000 "httpv4"
net_temp -V 66051 set_address_family 20000 INET
net_temp -V 66051 set_type 20000 STREAM
net_temp -V 66051 set_address 20000 0.0.0.0
net_temp -V 66051 set_valid_len 20000 0
net_temp -V 66051 set_protocol 20000 TCP
net_temp -V 66051 set_netdev 20000 ""
net_temp -V 66051 set_min_port 20000 80
net_temp -V 66051 set_max_port 20000 80
                                                                                
net_temp -V 66051 new_template 20001 "httpv6"
net_temp -V 66051 set_address_family 20001 INET6
net_temp -V 66051 set_type 20001 STREAM
net_temp -V 66051 set_valid_len 20001 0
net_temp -V 66051 set_protocol 20001 TCP
net_temp -V 66051 set_netdev 20001 ""
net_temp -V 66051 set_min_port 20001 80
net_temp -V 66051 set_max_port 20001 80

(required to access a database on localhost, will be restricted further)
net_temp -V 66051 new_template 100101 "localnet"
net_temp -V 66051 set_address_family 100101 INET
net_temp -V 66051 set_type 100101 ANY
net_temp -V 66051 set_address 100101 127.0.0.0
net_temp -V 66051 set_valid_len 100101 8
net_temp -V 66051 set_protocol 100101 ANY
net_temp -V 66051 set_netdev 100101 ""
net_temp -V 66051 set_min_port 100101 0
net_temp -V 66051 set_max_port 100101 65535

attr_set_net -V 66051 NETTEMP rc_type 3 20000
attr_set_net -V 66051 NETTEMP rc_type 3 20001
attr_set_net -V 66051 NETTEMP rc_type 20 100101

rc_set_item -V 66051 TYPE 3 type_netobj_name "http NETOBJ"
rc_set_item -V 66051 TYPE 20 type_netobj_name "localall NETOBJ"

rc_set_item -V 66051 -b ROLE 20 type_comp_netobj 0 00000000001101000000000000000000000000000000100000000
rc_set_item -V 66051 -b ROLE 20 type_comp_netobj 3 00000000011101110000000000000000000000000000100000000
rc_set_item -V 66051 -b ROLE 20 type_comp_netobj 20 00000000001110000000000000000000000000000000100000000

attr_set_file_dir FD /usr/sbin/apache2 rc_force_role 20

The Wiki says it's enough to set Bind+Listen for http NETOBJ, but that
leads to the following when I connect Apache:

Apr 18 18:44:21 geht-schon kernel: rsbac_adf_request(): request
 SEND, pid 14758, ppid 14756, prog_name apache2, uid 33, target_type
 NETOBJ, tid c36a7500 INET6 STREAM, attr none, value 0, result NOT_GRANTED
 by GEN RC
Apr 18 18:44:21 geht-schon kernel: rsbac_adf_request(): request
 RECEIVE, pid 14758, ppid 14756, prog_name apache2, uid 33, target_type
 NETOBJ, tid c36a7500 INET6 STREAM, attr none, value 0, result NOT_GRANTED
 by GEN RC
Apr 18 18:44:36 geht-schon kernel: rsbac_adf_request(): request
 NET_SHUTDOWN, pid 14758, ppid 14756, prog_name apache2, uid 33,
 target_type NETOBJ, tid c36a7500 INET6 STREAM, attr none, value 0, result
 NOT_GRANTED by GEN RC

So something seems to work, but Apache can still bind to its https port
(netstat -l):
tcp6       0      0 *:www                   *:*                     LISTEN
tcp6       0      0 *:https                 *:*                     LISTEN

Whatever tcp6 is. This is a default Debian Sarge installation with kernel
2.6.4 and RSBAC 1.2.3pre4.

Thanks for your help!


Thomas
-- 
http://www.tmueller.com for pgp key (95702B3B)



More information about the rsbac mailing list