[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | dec_mls_plus |
|
| Moderator: | SMURF::BAT |
|
| Created: | Mon Nov 29 1993 |
| Last Modified: | Thu Jun 05 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 534 |
| Total number of notes: | 2544 |
508.0. "How to switch Encodings files cheatsheet" by SMURF::BAT (Segui la tua beatitudine) Thu May 15 1997 18:44
The following is a quicky update of the procedure written up for
ULTRIX MLS+ (note 706). I hope I've changed it properly for V4 of
OSF MLS+.
How one can switch Encodings files on a system without re-installing
the system --
NOTE WARNING CAUTION - This is a short-cut method, not the
documented real method -- see the Security Management Guide for
trusted recovery procedures.
Step 1: Assumes that you have created a new Encodings file and
verified it with /tcb/bin/labelcomp. If you are also changing
the config file (the file containing the max numbers of classes,
categories [compartments], and markings), then you need to verify using
those values, and create a new /etc/policy/macilb/config file.
See man labelcomp.
Step 2: In general, you have to get rid of, or rather change, all
occurrences on the system where actual external labels are used in the
system control files, and replace them with the generic labels before you
change the Encodings file and blow away the /tcb/files/MACILBDBASE. Then
you have to change all the tags in the system to the well-known tag, syslo.
(I'm assuming here that we are just talking about a base sort of
system; i.e., just root and /usr, and that if you have any data on this
system with labels that really belong to that data, you have copied it
off the system, either over the net, or dumped it to tape with dump
or mltape or tar.)
("Paragraph 4:") A note on technique:
It's best to do all the editing beforehand to copies of the real files,
then shutdown to single-user mode, make backup copies of the original,
and then copy the new versions to the originals. If anywhere below
this is not stated explicitly, do it anyway.
The files whose contents you have to check are:
/etc/auth/system/files -- this has a list of all files which are
labelled syshi. For example, /etc/policy/macilb/Encodings and
/dev/audit in the standard system. grep for all entries on
your system and ...
Step 2a: chlabel all those files to syslo.
/etc/auth/system/default -- this may contain some external labels in it,
e.g., u_clearance. These labels, if they have "motated" to
other than the generic labels "syslo", "minsl", "syshi", "mincl",
-- change them to one of the generic labels of your choice.
/etc/auth/system/devassign -- ditto
/var/adm/tnet/TNETRHDB -- ditto. And, possibly TNETIDB, ditto.
(If you haven't yet installed the network, or rather booted
up and used the network, then you don't have to worry about
these files.)
/tcb/files/auth/r/root -- and all other ppde's that have the
u_clearance fields in them... change any external labels in
here to a generic label (NOTE: if you are doing this in
multi-user mode in real-time, go back and read paragraph
4 above -- remember that when you login to an account
the ppde will be "motated" to an Encodings file external
label as appropriate.)
/dev/console -- and any other interesting devices in /dev -- if
you've changed devassign that will be cool, but if the labels
are other than syslo here, you must change them to syslo
before you reboot, else you'll have bad labels.
I think that's it. Once you have created your new files, do Step 3:
shutdown to (or boot to) single-user mode and make sure the network
is down (/tcb/bin/tnetd_stop; ps auxww | grep tn ; there should be no
"tnmapd" or "tnrhd" running).
cp all the old files above to backup versions for reference.
cp all the new versions into place.
cp /tcb/files/MACILBDBASE to a backup copy.
cp /etc/policy/macilb/Encodings to a backup copy.
cp /etc/policy/macilb/config to a backup copy (if you are changing it)
cp the new Encodings file to /etc/policy/macilb/Encodings.
cp the new config file to /etc/policy/macilb/config
Make the MAC tags database, MACILBDBASE:
/tcb/bin/mkdb /tcb/files/MACILBDBASE xx xxx xx
(where xx xxx xx is what you used before if you are not changing
config, but different if you are)
And, if you have used the network, make the new TNETDB:
/tcb/bin/tnetd_mkdb /tcb/files/TNETDB 4096 80
Step 4:
If you have guts, reboot to multi-user mode. If you want to
proceed slowly and majestically, you can reboot to single-user and
fsck -n everything to see how well you did. And run trec if you missed
something. Reboot to multi-user.
NOTES ON CHANGING THE NUMBER OF COMPARTMENTS, CLASSIFICATIONS, etc.:
Normally, anytime you change the Encodings file or want to increase
compartments beyond what you allocated originally, you have to dump all
filesystems to tape (i.e., you want to save all files together with their
external labels). To dump properly, you make sure no one is
on the system; for root partition, it's best to boot to single-user
mode and then dump. Then, to mimic the installation procedure,
either boot from installation tape, or RIS server, into system
management mode, restore root -rT, change the config file and rebuild
the database. Then you can boot to single user mode and restore
all the other partitions, so that their tags are created using the
new tags database.
Here's what the relevant portion of the installation script is doing:
echo "#
# Mandatory Configuration File
#
/tcb/files/MACILBDBASE $CACHE $BUFFS $CLASSES $COMPS $MARKS 3 2 1 1 2
1" > /etc/policy/macilb/config
/mnt/bin/cp /etc/policy/macilb/config /mnt/etc/policy/macilb/config
# create the MAC database
/mnt/tcb/bin/mkdb /mnt/tcb/files/MACILBDBASE 4096 80 > /dev/null 2>&1
/mnt/tcb/bin/labelcomp /mnt/etc/policy/macilb/Encodings && break
(note that mkdb is using the file named /etc/policy/macilb/config,
not the one on the mounted disk)
It would be easier if you have a spare disk, especially a disk that has
the same partition layout as your system disk, on which at least
the root partition is unused. For example, something like this maybe?
(in single-user mode)
dump 0f /dev/rmt0h /dev/rrz0a # dump your root partition to tape
/tcb/bin/epa -g tpath '/tcb/tpath/newfs /dev/rrz1a rz56'
# newfs the spare 'a' partition
mount /dev/rz1a /mnt # mount the spare partition on /mnt
cd /mnt # cd to the spare 'a' partition
restore -rT # restore root to the partition
cd /etc/policy/macilb # temporarily modify the config
cp config config.save # file on the current partition
ed config
l
s/7 128 128/15 256 256/ # changing defaults to 15 256 256
w
q
cd /mnt/tcb/files
mv MACILBDBASE MACILBDBASE.old # prob shouldn't bother but hey
cd /mnt/etc/policy/macilb
mv config config.old # ditto
cp /etc/policy/macilb/config config # for the hopeful future
/tcb/bin/mkdb /mnt/tcb/bin/MACILBDBASE 4096 80
# create the new tags database
mv /etc/policy/macilb/config.save /etc/policy/macilb/config
# restore the original on current
# root in case you might need to
# use this (old) root :-)
shutdown -h now
boot the new root partition to single-user mode
fix up /etc/fstab appropriately (e.g., you've changed unit numbers)
(could try to fsck and run trec on the other partitions but should...)
restore the other partitions from tape (this is the best way to
properly preserve the labels -- but trec might be faster for
partitions in which you don't have a lot of labels
other than syslo)
run setfiles (if you have problems with this, there
are some fixit instructions somewhere in this
notesfile, search for setfstag)
or just reboot (and let setfiles tell you it's problems then)]
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 508.1 | factory installed MLS+? | SMURF::BAT | Segui la tua beatitudine | Thu May 15 1997 20:35 | 8 |
| Just to give context for preceding: Mark Sowards called and said that a
customer of his had ordered some Alpha 600's (VME single-board) that
had MLS+ "factory installed" on them. I said, I wonder who factory
installed them? Interesting. Anyway, he needed to know how to change
the Encodings file without re-installing. He's got to have some tape
or whatever device to get the new Encodings and config files loaded in,
and he's going to have to find out what the "factory installed" root
password is?
|
| 508.2 | authck goes nuts if it is bad, but that's entertainment | SMURF::BAT | Segui la tua beatitudine | Fri May 16 1997 19:43 | 33 |
| BTW, I discovered an interesting thing today: if you run
/tcb/bin/authck -p it will actually syntax check all the files in
/tcb/files/auth/* -- even ones that don't "belong" there.
What this means is, you can verify whether you correctly edited
/tcb/files/auth/r/root to change the clearance back from whatever the
current system high string is in the current Encodings to the
well-known "syshi" string. Or at least verify that you didn't make
syntax errors.
So I would improve on Step 2, with:
# cd /tcb/files/auth/r
# cp root root.new
edit root.new
change:
:u_clearance=TOP\040SECRET\040A\040B\040SA\040SB\040CC:\
to:
:u_clearance=syshi:\
# /tcb/bin/authck -p
It will actually syntax check root.new, which is nice. Then when
you shutdown to single-user mode you can
# cd /tcb/files/auth/r
# mv root root.old
# mv root.new root
And delete root.old after you come up and are running successfully.
|
| 508.3 | from mark | SMURF::BAT | Segui la tua beatitudine | Mon May 19 1997 17:22 | 35 |
| From: US2RMC::"[email protected]" "Mark Sowards" 19-MAY-1997 05:04:56.59
To: "'Barbara A. Thomson (ZKO3-2/X46 1-2955)'" <[email protected]>, "'[email protected]'" <smurf::bat>
CC: "'Me@swarf'" <[email protected]>
Subj: Results of Encodings file swap
I'll give you a little heads up. The reboot to single user failed after
all the changes. It complains about an Encodings conversion
("can't convert '8.5+GB' for encodings file") or something to that affect,
and no part of the security labeling works. (i.e. the mand_init fails and
all actions dealing with the security daemon fail.) When we tried the
TREC procedure, the dbck functions all work, but the TREC on the root file
system fails completely it can't convert the Encodings.
(Now I have to say they let some Sun guy come in a re-write the
Encodings file so it's not the same one that Curry helped them develop.)
However, this same file is supposed to be running on one of the other
machines (installed from scratch).
The reason they are willing to try so hard for this method to work is
based on at least two factors. (1) They need Ten systems done with a very
intricate configuration, by Wednesday. Eight of these system (and this is
#2) are those single board Alphas. The single board machines have no
connections for an external tape drive. They have multiple FDDI and
Ethernet connections. This makes getting the Encodings file loaded very
difficult. It will require multiple RIS systems to be configured because
there are at least three (possible four) subnets in this two rack ten
machine setup.
It's a really weird setup there are two Alpha 600's one in the bottom of
each rack; with two enclosed custom made boxes each containing 2 single
board alphas. Each pair of single board alpha has a single level FDDI
connection between them and then the pairs are connected to the a600 in
that rack and then the 600's are connected by an ether net.
[ more in other notes ]
|
| 508.4 | from bat | SMURF::BAT | Segui la tua beatitudine | Mon May 19 1997 17:22 | 29 |
| From: SMURF::BAT "Barbara A. Thomson ZKO3-2/X46 1-2955" 19-MAY-1997 14:09:44.88
To: US2RMC::"[email protected]"
CC: BAT
Subj: RE: Results of Encodings file swap
Mark,
My home number is (603) 487-2974. Please file it so that
in the future if you are working weekends, you might be
able to contact someone.
> It complains about an Encodings conversion
> ("can't convert '8.5+GB' for encodings file") or something to that affect,
That means that the Encodings file itself is incomprehensible.
Before you reboot with a new Encodings file, you have to
run labelcomp on the Encodings file. (See man labelcomp).
If you have changed the /etc/policy/macilb/config file,
you have to use that one too.
> (Now I have to say they let some Sun guy come in a re-write the
> Encodings file so it's not the same one that Curry helped them develop.)
> However, this same file is supposed to be running on one of the other
> machines (installed from scratch).
"supposed to be" -- well if it truly is, then there must
be a difference in the /etc/policy/macilb/config file.
|
| 508.5 | found the problem: but we have a bug | SMURF::BAT | Segui la tua beatitudine | Mon May 19 1997 17:25 | 9 |
| I spoke with Mark earlier today and he said that they were all set:
evidently they had run labelcomp, but the Sun guy at the last minute
decided to change markings in the /etc/policy/macilb/config to 0 and
then they didn't subsequently run lablecomp.
They should have run labelcomp, but our SecureWare code should be able
to handle markings=0.
We should file a bug report on this.
|
| 508.4 | are you sure you ran labelcomp? | SMURF::BAT | Segui la tua beatitudine | Tue May 20 1997 15:31 | 24 |
| From: SMURF::BAT "Barbara A. Thomson ZKO3-2/X46 1-2955" 19-MAY-1997 14:09:44.88
To: US2RMC::"[email protected]"
CC: BAT
Subj: RE: Results of Encodings file swap
> It complains about an Encodings conversion
> ("can't convert '8.5+GB' for encodings file") or something to that affect,
That means that the Encodings file itself is incomprehensible.
Before you reboot with a new Encodings file, you have to
run labelcomp on the Encodings file. (See man labelcomp).
If you have changed the /etc/policy/macilb/config file,
you have to use that one too.
> (Now I have to say they let some Sun guy come in a re-write the
> Encodings file so it's not the same one that Curry helped them develop.)
> However, this same file is supposed to be running on one of the other
> machines (installed from scratch).
"supposed to be" -- well if it truly is, then there must
be a difference in the /etc/policy/macilb/config file.
|
| 508.5 | now correct: but we still have a bug | SMURF::BAT | Segui la tua beatitudine | Tue May 20 1997 15:32 | 10 |
| I spoke with Mark earlier today and he said that they were all set:
evidently they had run labelcomp, but the Sun guy at the last minute
decided to change markings in the /etc/policy/macilb/config to 0 and
then they didn't subsequently run lablecomp.
They should have run labelcomp, but our SecureWare code should be able
to handle markings=0.
We should file a bug report on this.
|
| 508.6 | fixing errors during Encodings file swap: bad tag | SMURF::BAT | Segui la tua beatitudine | Wed May 21 1997 14:19 | 25 |
|
I just left you a voice mail and I thought I'd follow up with a note.
The change to the number of markings in the config file corrected our
problem with the systems. However, when doing the other systems, some
of the extra 'help' fat fingered the TNE TMAPPINGS file, they either
forgot to set the label or didn't set it right. Anyway the result is
that these two systems have TNETMAPPINGS files that cannot be chlabel'd
or deleted or fixed. How do we reset these files now?
Also you said that the method Lenny was using to restore systems was
incorrect. Now I'm not sure if I had described it wrong or what, but
if you could quick sketch out what was wrong then I could get Lenny
going on the big restore of the 2100.
Mark A. Sowards
Digital Equipment Corporation
WRO Santa Clara, DTN521-4391
Mark A. Sowards
409-748-4391 DTN 521-4391
2575 Augustine Dr.
Santa Clara, CA 95054
|
| 508.7 | do the chlabel in the correct order | SMURF::BAT | Segui la tua beatitudine | Wed May 21 1997 14:31 | 31 |
| Well, there are lots of things I'm learning about the differences
between V3 and V4 through this "self-paced" instructional method,
thanks, Mark!
For one, I didn't even know there was a file called TNETMAPPINGS -
shows you how much I've played with the CIPSO and tsix_1_1 protocols
(zip).
And for two, I didn't realize that one might have, or might want to,
set a temporary file (which in OSF seems to be terminated with a
:t instead of a -t as ULTRIX MLS+) created, I presume by
create_file_securely() [sic] to a different SL than the file that it is
an intermediate version of -- it has the same DAC protection, why not
the same MAC? But that's a curious observation that will require
further investigation later [bathole alert! bathole alert!]
ANYWAY, the next note is a re-posting of the bottom line instructions
for resetting the labels on a file that has a tag that cannot be
translated back into an IR that matches an ER in the new Encodings
file... I have *NOT* tried them on V4 and don't know if they will
work. In summary what you do is:
chlabel -NI syslo filename
chlabel -NS syslo filename
chlabel -I syslo filename
chlabel -S syslo filename
(roughly). If that doesn't work, then you may have to do the
setfstag business. (If there is a setfstag in OSF). If that doesn't
work, run fsck and then trec on the file system. (See man pages).
If that doesn't work, then we have a problem. (Bug).
|
| 508.8 | bad tag or session sensitivity label | SMURF::BAT | Segui la tua beatitudine | Wed May 21 1997 14:31 | 49 |
| <<< SMURF::DISK$NOTES:[NOTES$LIBRARY]ULTRIX_MLS_PLUS.NOTE;1 >>>
-< CMW Ultrix MLS+ notesfile >-
================================================================================
Note 602.4 bad clearance or session security level 4 of 4
MKOTS3::THOMSON "Segui la tua beatitudine" 41 lines 8-APR-1994 18:44
-< bad tags fix procedure (hit it with a hammer) >-
--------------------------------------------------------------------------------
Return-Path: minsrv::[email protected]
Date: Thu, 8 Jul 93 12:01:56 -0400
From: minsrv::[email protected] (Jonathan Fraser UEG)
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: What is the Trilogy?
Mark, Barb:
It actually takes 3 commands to change the name labels because
of the policy rules. Consider that both the name sl and the name
il are bad tag values because of having 'lost' the mac tag database
during the installation. The policy rules state that when you change
either the SL or the IL, that the SL must dominate the IL. But because
the tags are bad, the comparision of the new SL and old IL or the
old SL and the new IL will always fail.
The solution is to first set the name IL to wildcard. This
will always work because we don't do any dominance checks against wildcard
labels. Then set the name SL to UNCLE. Finally, set the name IL to UNCLE.
The commands I use are:
find * -print | xargs chnilevel WILDCARD
find * -print | xargs chnlevel U
find * -print | xargs chnilevel U
Hence, the "trilogy".
Of course, before doing this, I run
setfstag -a -v -i1 -t2 -i2 -t2 /dev/rrz...
to set all the inode tags to unclassified.
Jon
|
| 508.9 | also note: can't downgrade these SLs while up | SMURF::BAT | Segui la tua beatitudine | Thu May 29 1997 18:15 | 5 |
| Mark said they were stuck - they tried the "trilogy" and it didn't work
for them. They ended up setting SL to syshi and rm it the file, and
getting a copy of the file from another system. Mark is going to check
and see exactly what they were doing, why they couldn't get the SL to
change.
|