[redhat-lspp] different cipso mapping behavior
Loulwa Salem
loulwas at us.ibm.com
Tue Feb 27 00:17:19 UTC 2007
Hi Paul,
After the meeting, I went back to try some cipso tests and noticed the following
behavior that didn't use to happen before ..
I am on the latest RHEL drop with the .65 kernel, latest policy .38, and
netlabel_tools-0.17-9.el5
I was trying to test the cipso mappings and that a connection is granted/denied
correctly between two systems when mappings are in place.
Here is what I had a problem with ..
I set up a system with following rules
netlabelctl cipsov4 add std doi:1 tags:1 levels:2=1 categories:2=1
netlabelctl map del default
netlabelctl map add default protocol:cipsov4,1
Now I try to log in (note I already have a session on the system and I use that
one to log in, so its coming through localhost)
ssh -l testuser/user_r/s2:c2-s2:c2 localhost
The above command hangs .. Looking at the output of tcpdump (tcpdump -v -i lo) I
see an ICMP error (output at end of this message). I also checked, and there
were no relevant audit records or anything useful in /var/log/messages or
/var/log/secure.
In the past this test used to pass.. so I was wondering if this is an intended
change, or something is not working.
To better understand what's happening, and see if mapping are really working, I
tried the following ..
Unset cipso settings
logged on to my system as above context from another existing ssh window
then setup cipso again.
I verified that the mappings work fine by trying to connect to my system from an
s1 connection which succeeded as per the mappings.
I also tried the following ssh and all hung (with similar ICMP error output)
ssh -l testuser/user_r/s1:c1-s1:c1 localhost
ssh -l testuser/user_r/ localhost
ssh -l testuser localhost
ssh -p 222 -l testuser localhost
should trying to ssh into the system with these cipso mapping settings enabled
hang or be denied, if so why?
Thanks,
- Loulwa
>>> tcpdump output <<<
[root/abat_r/SystemLow at joy-hv4 framework]# tcpdump -vv -i lo
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
13:36:05.473874 IP (tos 0x0, ttl 64, id 20931, offset 0, flags [DF], proto: TCP
(6), length: 72, options ( unknown (134) len 10EOL (0) len 1 ))
localhost.localdomain.58117 > localhost.localdomain.ssh: S, cksum 0x2c1a
(correct), 3261345366:3261345366(0) win 32792 <mss 16396,sackOK,timestamp
268926869 0,nop,wscale 7>
13:36:05.474246 IP (tos 0xc0, ttl 64, id 52022, offset 0, flags [none], proto:
ICMP (1), length: 112, options ( unknown (134) len 10EOL (0) len 1 ))
localhost.localdomain > localhost.localdomain: ICMP parameter problem - octet
29, length 80
IP (tos 0x0, ttl 64, id 20931, offset 0, flags [DF], proto: TCP (6),
length: 72, options ( unknown (134) len 10EOL (0) len 1 ))
localhost.localdomain.58117 > localhost.localdomain.ssh: tcp 40 [bad hdr length
0 - too short, < 20]
2 packets captured
6 packets received by filter
0 packets dropped by kernel
More information about the redhat-lspp
mailing list