[redhat-lspp] different cipso mapping behavior

Loulwa Salem loulwas at us.ibm.com
Tue Feb 27 00:17:19 UTC 2007 

Hi Paul,
After the meeting, I went back to try some cipso tests and noticed the following 
behavior that didn't use to happen before ..
I am on the latest RHEL drop with the .65 kernel, latest policy .38, and 
netlabel_tools-0.17-9.el5

I was trying to test the cipso mappings and that a connection is granted/denied 
correctly between two systems when mappings are in place.

Here is what I had a problem with ..

I set up a system with following rules
  netlabelctl cipsov4 add std doi:1 tags:1 levels:2=1 categories:2=1
  netlabelctl map del default
  netlabelctl map add default protocol:cipsov4,1

Now I try to log in (note I already have a session on the system and I use that 
one to log in, so its coming through localhost)
  ssh -l testuser/user_r/s2:c2-s2:c2 localhost

The above command hangs .. Looking at the output of tcpdump (tcpdump -v -i lo) I 
see an ICMP error (output at end of this message). I also checked, and there 
were no relevant audit records or anything useful in /var/log/messages or 
/var/log/secure.

In the past this test used to pass.. so I was wondering if this is an intended 
change, or something is not working.
To better understand what's happening, and see if mapping are really working, I 
tried the following ..
   Unset cipso settings
   logged on to my system as above context from another existing ssh window
   then setup cipso again.
I verified that the mappings work fine by trying to connect to my system from an 
s1 connection which succeeded as per the mappings.

I also tried the following ssh and all hung (with similar ICMP error output)
ssh -l testuser/user_r/s1:c1-s1:c1 localhost
ssh -l testuser/user_r/ localhost
ssh -l testuser localhost
ssh -p 222 -l testuser localhost

should trying to ssh into the system with these cipso mapping settings enabled 
hang or be denied, if so why?

Thanks,
- Loulwa

 >>> tcpdump output <<<
[root/abat_r/SystemLow at joy-hv4 framework]# tcpdump -vv -i lo
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
13:36:05.473874 IP (tos 0x0, ttl  64, id 20931, offset 0, flags [DF], proto: TCP 
(6), length: 72, options ( unknown (134) len 10EOL (0) len 1 )) 
localhost.localdomain.58117 > localhost.localdomain.ssh: S, cksum 0x2c1a 
(correct), 3261345366:3261345366(0) win 32792 <mss 16396,sackOK,timestamp 
268926869 0,nop,wscale 7>
13:36:05.474246 IP (tos 0xc0, ttl  64, id 52022, offset 0, flags [none], proto: 
ICMP (1), length: 112, options ( unknown (134) len 10EOL (0) len 1 )) 
localhost.localdomain > localhost.localdomain: ICMP parameter problem - octet 
29, length 80
         IP (tos 0x0, ttl  64, id 20931, offset 0, flags [DF], proto: TCP (6), 
length: 72, options ( unknown (134) len 10EOL (0) len 1 )) 
localhost.localdomain.58117 > localhost.localdomain.ssh:  tcp 40 [bad hdr length 
0 - too short, < 20]

2 packets captured
6 packets received by filter
0 packets dropped by kernel

More information about the redhat-lspp mailing list