| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 488.1 | thanks for the corrections | SMURF::BAT | Segui la tua beatitudine | Thu Apr 24 1997 16:17 | 21 |
| re: NFS Mount.
I would have thought the NFS mount of a single-level file system would
have been in mount man page, but then I don't know that I've looked at
a V4 one. I'll check, and yes, if that doesn't say it very well
should.
re: ping -- You didn't say whether you were ping'ing a single-level or
a multi-level host. If you are pinging a single-level host then of
course you must ping the host at the level at which the host is
defined in the TNETRHDB for def_sl, so that the incoming packets get
labelled at the same SL as the process sending them.
I used to think that you couldn't ping another multi-level hosts at
other than syslo levels unless you were running tnet vs tsix protocol,
(or vice versa? I can't remember) but that seems to have been changed.
I just tried
setlevel -s syshi ; privs -a "" -c '/sbin/ping'
between two tsix hosts and it worked, but they are on the same
subset. Is the router to the other subnet a single-level or
multi-level host? Is the TNETIDBs for the interface(s) set up to pass
packets at levels of other-than-syslo?
|
| 488.2 | from lee | SMURF::BAT | Segui la tua beatitudine | Fri Apr 25 1997 14:39 | 55 |
|
Subject: DECnotes Topic 488.0 (dec_mls_plus) ping/nfs
Part of our problem with dealing with network related issues is that we
constantly use the terms "single-level" and "unlabeled" interchangeably,
when that is not really accurate.
An unlabeled system acts as a single-level system (at any one time at
least) in that the recipient multi-level system labels the incoming data
from that system with one label. But a "single-level" system need not be
an unlabeled system.
The default TNETRHDB database entries reinforce this misleading designation.
You select the "default_single_level" template for unlabeled hosts. The
default_single_level template should probably really be called the
"default_unlabeled" template.
An unlabeled system requires some different option selections in some of the
commands. For example 'mount':
----------------------------------------------------------------------------
> -I information_label
> Specifies the information label used when accessing any file on the
> mounted file system. This flag is the equivalent of the following
> command:
>
> # mount -o ilb="'information_label'" file-system directory
>
> The preceding command line is valid only when the file system being
> mounted is unlabeled (does not contain per-file security attributes).
^^^^^^^^^^
> -S sensitivity_label
> Specifies the sensitivity label used when accessing any file on the
> mounted file system. This flag is the equivalent of the following com-
> mand:
>
> # mount -o mac="'sensitivity_label'" file-system directory
>
> The preceding command line is valid only when the file system being
> mounted is unlabeled (does not contain per-file security attributes).
^^^^^^^^^
> The sensitivity_label specified must be the same as the directory on
> which the file system is mounted.
----------------------------------------------------------------------------
Single-level, but labeled file systems do not require the -S or -I
option flags.
Given all that, can you tell us what the definitions of the hosts are
in the TNETRHDB and the interfaces in the TNETIDB for both the source
and destination systems/routes?
One or both of these may be wrong if you are expecting them to interact
as multi-level labeled systems, or even as single-level labeled systems.
Your symptoms seem consistent with interactions between single-level
unlabeled systems.
|
| 488.3 | TNETIDB and TNETRHDB info | ADISSW::FERRARA | | Fri Apr 25 1997 16:22 | 50 |
|
I am on ALOHA (IP Address = 16.29.144.57) and trying to mount
a file system from the system named ALFFA2 (IP Address = 16.30.144.60)
A portion of the TNETIDB on ALOHA:
----------------------------------
Note: I am using the tu0 interface in which to NFS mount
#
# The only real interface on this system.
ADAPTER: min_sl = syslo:\
max_sl = syshi:\
def_clearance = syshi:\
def_sl = syslo:\
def_ilb = syslo:\
def_uid = guest:\
def_gid = guest:\
def_luid = guest:\
flags = import, export:\
def_ngrps = 1:\
def_gids = guest:\
def_sid = 0:\
def_privs = execsuid,allowwindevaccess:
#
#
tu0: flags = import,export:\
def_privs = execsuid,allowwindevaccess:\
def_luid = guest:\
def_uid = guest:\
def_gid = guest:\
def_ngrps = 1:\
def_gids = guest:\
def_sid = 0:\
def_sl = UNCLASSIFIED:\
def_clearance = TOP SECRET A B SA SB CC:\
def_ilb = UNCLASSIFIED:\
min_sl = UNCLASSIFIED:\
max_sl = TOP SECRET A B SA SB CC:
A portion of the TNETRHDB on ALOHA:
-----------------------------------
aloha: default_spec = default_tsix_1_1:
alffa2.zko.dec.com: default_spec = default_single_level:
|
| 488.4 | expected results | SMURF::BAT | Segui la tua beatitudine | Fri Apr 25 1997 21:22 | 13 |
| Yep, based on what you have configured, what you discovered are the
expected results: 1) you cannot ping a default_single-level syslo
system at other than syslo, and 2) you must specify a label for the
mount of a unlabeled system.
Now, you could very well ask "why?" for the latter -- you would think
mount would default the mac and ilb fields to the def_sl and def_il
fields of either the interface (which takes precedence), or use the
TNETRHDB entries. Unfortunately, I don't think NFS and the IP stack
really talk to each other that much :-)
The ping man page I don't believe was modified and perhaps it should
have been.
|