[redhat-lspp] different cipso mapping behavior
Paul Moore
paul.moore at hp.com
Wed Feb 28 00:08:40 UTC 2007
On Monday, February 26 2007 7:17:19 pm Loulwa Salem wrote:
> Hi Paul,
> After the meeting, I went back to try some cipso tests and noticed the
> following behavior that didn't use to happen before ..
> I am on the latest RHEL drop with the .65 kernel, latest policy .38, and
> netlabel_tools-0.17-9.el5
>
> I was trying to test the cipso mappings and that a connection is
> granted/denied correctly between two systems when mappings are in place.
>
> Here is what I had a problem with ..
>
> I set up a system with following rules
> netlabelctl cipsov4 add std doi:1 tags:1 levels:2=1 categories:2=1
> netlabelctl map del default
> netlabelctl map add default protocol:cipsov4,1
>
> Now I try to log in (note I already have a session on the system and I use
> that one to log in, so its coming through localhost)
> ssh -l testuser/user_r/s2:c2-s2:c2 localhost
>
> The above command hangs .. Looking at the output of tcpdump (tcpdump -v -i
> lo) I see an ICMP error (output at end of this message). I also checked,
> and there were no relevant audit records or anything useful in
> /var/log/messages or /var/log/secure.
For those of you not following the RHEL BZ entry for this problem:
***
I should have seen this sooner, but I was thrown off by the "ssh -l
testuser/user_r/s2:c2-s2:c2 localhost" command line syntax ... this is not a
bug, this is the correct behavior.
By configuring a "std" CIPSO DOI with a _only_ level mapping of "2=1" that
CIPSO DOI will only allow traffic to be sent when the domain sending the
packet has an effective sensitivity level of "s2". The reason for this is
that the CIPSO DOI only has a valid level mapping for "s2". The same logic
applies to categories. If you were to try to run any network application
using the default effective sensitivity label of "s0" then you should not be
able to generate network traffic because you have not defined a valid
sensitivity label mapping.
The fact that network traffic was generated at all (see the packet trace)
instead of the socket failing to be created is a side effect of a known bug
which has already been patched in the 2.6.19-stable kernels and 2.6.20.
Another BZ was entered on January 5th, 2007 to track this other problem (BZ
#221648).
***
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list