YC Wang wrote:
Hi, everyone:
I enabled Trusted Extensions in OpenSolaris and created a labeled zone
"public", whose label is PUBLIC in the default label_encodings file.
When I tried to connect to a external host ( this is a unlabeled host,
say, windows) from global zone, everything is OK. This is reasonable,
because the global zone's label is ADMIN_LOW, and the external host
used the default admin_low template and is considered a unlabeled host
with the def_label ADMIN_LOW. However, I can't connect to that
external host from the "public" zone, and TRuss showed that the
connect syscall returned EHOSTUNREACH. I know that the "public"
zone's label(PUBLIC) is different from that of the external
host(ADMIN_LOW), but I'd read the <Solaris Trusted Extensions
Administrator's Procedures>, in chapter 18 -- Trusted Networking, it
says this check is performed on the sending process or sending zone:
When the destination host is an unlabeled host, one of the following
conditions must be
satisfied:
■ The sending host's label must match the destination host's default label.
■ The sending host is privileged to perform cross-label communication,
and the sender's
label dominates the destination's default label.
■ The sending host is privileged to perform cross-label communication,
and the sender's
label is ADMIN_LOW. That is, the sender is sending from the global zone.
Let's focus on the second condition. According to it, if sending
host is privileged to perform cross-label communication, I should be
able to connect to that external host from the public zone, because
PUBLIC dominates ADMIN_LOW. But in my test I failed to do so. Then
how to explain this? Is this because the "public" zone is not
privileged to perform cross-label communication? And if so, how can I
make it privileged.
The NET__MAC_AWARE privilege is needed in order for a non-global zone to
do cross-label communication. This privilege is in PUBLIC zone's limit
set but not in its effective set by default. You need to add it.
By the way, if two hosts are both labeled zones and send packets with
labels, how Accreditation Checks is performed? My tests showed that
two labeled zone can communicate with each other only when they have
the exact same labels, and the "dominance relationships" seemed
meaningless. Is this how it is designed?
By default, only equal labeled zones can talk to each other. The
accreditation checks are performed at sender as well as at receiver. You
need to manually configure (add) MAC_AWARE privilege before "dominance
relationship" is permitted.
Thanks for using Trusted Extensions in OpenSolaris.
Jarrett
Thanks
YC Wang
_______________________________________________
security-discuss mailing list
[email protected]
_______________________________________________
security-discuss mailing list
[email protected]
