On 21.08.2015 13:47, Patrick Ohly wrote:
On Fri, 2015-08-21 at 13:25 +0200, Aleksander Zdyb wrote:
Example:
Let me modify the example slightly to cover the case you refer to below
("order of buckets searching"). It doesn't make sense, but let's assume
that we have two additional buckets for access-internet:
In MAIN bucket, there is this policy:
Client User Privilege Policy
------------------------------------------------
... ... ... ...
* * access-internet -> INTERNET1
* * access-internet -> INTERNET2
... ... ... ...
------------------------------------------------
Default policy: DENY
No, you cannot have that policy. The triples of (client, user, privilege)
must be unique. If you try to add this to Cynara, the next rule will
overwrite
the former one.
But be specific about one of the "stars" and your modified example will
work.
Yes, if I got it right above, then it did. This definitely should be
documented, though, if it is not already.
I think you got it right -- with the notice above.
If in doubt of what Cynara will do in some cases, you can use cyad.
It's an administrative tool, but can emulate some checks and queries.
Your example will go something like this:
```
# Adding buckets
cyad -b INTERNET1 -t DENY
cyad -b INTERNET2 -t ALLOW
# Adding specific rules to buckets
cyad -s -k INTERNET1 -c cli-app-1 -u 5000 -p access-internet -t DENY
cyad -s -k INTERNET2 -c cli-app-1 -u 5000 -p access-internet -t DENY
# Adding wildcard rules to MAIN bucket
cyad -s -c \* -u \* -p access-internet -t BUCKET -m INTERNET1
cyad -s -c \* -u 5000 -p access-internet -t BUCKET -m INTERNET2
# Checks
cyad -a -r y -c cli-app-1 -u 5000 -p access-internet
cyad -a -r y -c cli-app-2 -u 5000 -p access-internet
```
HTH
--
Aleksander Zdyb
Samsung R&D Institute Poland
Samsung Electronics
_______________________________________________
Dev mailing list
[email protected]
https://lists.tizen.org/listinfo/dev
