Using the DACinet feature for user-based and port-based network access control

Edit online

The DACinet feature can be used to restrict the access of users to TCP ports.

For more information about DACinet, see User based TCP port access control with discretionary access control for internet ports. For example, when using DACinet to restrict access to port TCP/25 inbound to root only with the DACinet feature, only root users from BAS/EAL4+ compliant hosts can access this port. This situation limits the possibility of regular users spoofing email by using telnet to connect to port TCP/25 on the victim.

To activate the ACLs for TCP connections at boot time, the /etc/rc.dacinet script is run from /etc/inittab. It will read the definitions in the /etc/security/acl file and load ACLs into the kernel. Ports which should not be protected by ACLs should be listed in the /etc/security/services file, which uses the same format as the /etc/services file.

Assuming a subnet of 10.1.1.0/24 for all the connected systems, the ACL entries to restrict access to the root user only for X (TCP/6000) in the /etc/security/acl file would be as follows: 
      6000    10.1.1.0/24 u:root