[security-discuss] Re: TX and Routing

Tue, 13 Feb 2007 01:41:53 PST 

Hi,

I created a labeled zone (PUBLIC) in trusted extensions,
but can not access the unlabeled host from PUBLIC zone.
The detail is as follows:
----------------------------
login: wzh
Password: 
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
$ hostname
PUBLIC
$ who
wzh        pts/8        Feb  5 21:38    (172.31.0.80)       
$
$  
$ telnet 172.31.0.80                                        
Trying 172.31.0.80...
telnet: Unable to connect to remote host: [b]No route to host[/b]
$ 
$ telnet 172.31.0.10                                       
Trying 172.31.0.10...
telnet: Unable to connect to remote host: [b]Connection refused[/b]
$ 
$ ifconfig -a
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 
index 1
        inet 127.0.0.1 netmask ff000000 
vmxnet0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 172.31.0.100 netmask ffffff00 broadcast 172.31.0.255
$ 
$ netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface 
-------------------- -------------------- ----- ----- ------ --------- 
172.31.0.0           172.31.0.100         U         1      3 vmxnet0:1 
224.0.0.0            172.31.0.100         U         1      0 vmxnet0:1 
default              172.31.0.1           UG        1   1534           
127.0.0.1            127.0.0.1            UH       11    737 lo0:1     
$ 
$ plabel $$
PUBLIC
$
$ tninfo -h 172.31.0.80
IP address= 172.31.0.80
Template = admin_low
$ 
$ tninfo -h 172.31.0.10
IP address= 172.31.0.10
Template = cipso
$ 
# tninfo -h 172.31.0.100
IP address= 172.31.0.100
Template = cipso
# 
$ tninfo -t cipso
=====================================
Remote Host Template Table Entries:
__________________________
template: cipso
host_type: CIPSO
doi: 1
min_sl: PUB
hex: ADMIN_LOW
max_sl: translation failed
hex: ADMIN_HIGH
$ 
$ 
$ tninfo -t admin_low
=====================================
Remote Host Template Table Entries:
__________________________
template: admin_low
host_type: UNLABELED
doi: 1
def_label: PUB
hex: ADMIN_LOW
For routing only:
min_sl: PUB
hex: ADMIN_LOW
max_sl: translation failed
hex: ADMIN_HIGH
$ 
$ 
$ tninfo -m PUBLIC
private: 1-10000/tcp;1-10000/udp
shared: no entries
$ 


The following is information in globel zone:
-------------------------
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 
index 1
        inet 127.0.0.1 netmask ff000000 
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 
index 1
        zone PUBLIC
        inet 127.0.0.1 netmask ff000000 
vmxnet0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 172.31.0.10 netmask ffffff00 broadcast 172.31.0.255
        ether 0:c:29:40:d3:90 
vmxnet0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        zone PUBLIC
        inet 172.31.0.100 netmask ffffff00 broadcast 172.31.0.255
#
$ 
# tninfo -h 172.31.0.100
IP address= 172.31.0.100
Template = cipso
# 
# tninfo -t cipso
=====================================
Remote Host Template Table Entries:
__________________________
template: cipso
host_type: CIPSO
doi: 1
min_sl: PUB
hex: ADMIN_LOW
max_sl: MAX : RESTRICTED
hex: ADMIN_HIGH
# 
# tninfo -t admin_low
=====================================
Remote Host Template Table Entries:
__________________________
template: admin_low
host_type: UNLABELED
doi: 1
def_label: PUB
hex: ADMIN_LOW
For routing only:
min_sl: PUB
hex: ADMIN_LOW
max_sl: MAX : RESTRICTED
hex: ADMIN_HIGH
$
$
$ more /etc/security/tsol/tnrhtp
#
# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident  "@(#)tnrhtp     1.7     05/08/05 SMI"
#
# The following is the default template used on the system.
# 
#_unlab:host_type=unlabeled;doi=1;def_label=ADMIN_LOW;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH
#
# Default for locally plumbed interfaces
cipso:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;host_type=cipso;doi=1
#
admin_low:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=ADMIN_LOW;
$ 
$
$
$ more /etc/security/tsol/tnrhdb
#
# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident  "@(#)tnrhdb     1.4     05/10/21 SMI"
#
# The following are the boot-time defaults.  These establish all IPv4 and
# IPv6 addresses as unlabeled.  Both are removed if this file contains any
# non-blank entries.
#
#0.0.0.0/0:_unlab
#\:\:0/0:_unlab
#
# Default value shipped with system. This allows global zone of the
# system to obtain various services during initial boot. Administrators
# should remove this entry after the system is fully configured.
#
0.0.0.0:admin_low
#\:\:0:admin_low
127.0.0.1:cipso
#\:\:1:cipso
172.31.0.10:cipso
172.31.0.100:cipso
172.31.0.201:cipso
172.31.0.202:cipso
$ 
$ 
$
$ more /etc/security/tsol/tnzonecfg
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# Multilevel Port (MLP) specification:
#
#       MLP                     PURPOSE
#       ---                     -------
#       111                     Port Mapper
#       515                     BSD Multilevel Printing
#       631                     IPP Multilevel Printing
#       2049                    NFSv4 server
#       6000-6003               Multilevel Desktop
#
global:ADMIN_LOW:1:111/tcp;111/udp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000-6003/tcp
PUBLIC:0x0002-08-08:0:1-10000/tcp;1-10000/udp:
$




What do I need to do for configuration of trusted extensions?
Thanks!
 
 
This message posted from opensolaris.org

Reply via email to