On 08/20/10 11:11, YC Wang wrote:
I suspect that your UDP application did not have the SCM_UCRED
socket option set before attempting to bind to an MLP port.
Multi-level server applications are expected to respond with
the security label that was attached to the original message
from the client. UDP applications do this by getting the remote
process credentials on a recvmsg() and providing those same
credentials on a sendmsg() call. See
"Using Multilevel Ports With UDP" in
Solaris Trusted Extensions Developer's Guide
http://docs.sun.com/app/docs/doc/819-0869/mlpsandudp?l=en&a=view
Ken
Yes, you were right. Now I can bind to an MLP port with the SO_RECVUCRED option.
And I still have a question: on a Trusted Extensions gateway system,
is there any MAC-Exempt equivalent, which means packets can be
forwarded to a host with a default label dominated by the source
host's label?
I don't think so. Trust Extension gateways perform label range checks on
destination host. In mac-exempt case, source host adjust the label on
packets accordingly to ensure they can be routed to the destination.
Thanks.
Jarrett
Thanks
YC Wang
_______________________________________________
security-discuss mailing list
[email protected]
_______________________________________________
security-discuss mailing list
[email protected]
