Patch-ID# 116143-03
Keywords: ping equal label unlabeled hardened network
Synopsis: Trusted_Solaris_8_HW_12/02_x86: ip patch
Date: Aug/31/2004


Install Requirements: Reboot after installation                      
                      
Solaris Release: Trusted_Solaris_8_HW_12/02_x86

SunOS Release: Trusted_Solaris_8_HW_12/02_x86

Unbundled Product: 

Unbundled Release: 

Xref: This patch available for SPARC as patch 116142

Topic: Trusted_Solaris_8_HW_12/02_x86: ip patch

Relevant Architectures: i386

BugId's fixed with this patch: 4639031 4938446 5044793

Changes incorporated in this version: 5044793

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

/kernel/drv/ip
/usr/include/inet/ip.h

Problem Description:

5044793 Trusted Solaris 8 can deadlock in the network stack
 
(from 116143-02)
 
4938446 Expand "tsol_ping_equal_only" to "tsol_unlab_equal_only", add more protocols.
 
(from 116143-01)
 
4639031 ping on restricted interfaces can ping to higher label & get response

Patch Installation Instructions:
--------------------------------
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Trusted Solaris. Any other special or non-generic
installation instructions should be described below as special instructions.
 
For additional examples please see the appropriate man pages.

Special Install Instructions:
-----------------------------
NOTE 1: Reboot the system after all the patches are installed.
 
NOTE 2: The tsol_ping_equal_only ndd switch in patch 116143-01
       	and 116145-01 have been renamed to tsol_unlab_equal_only.
 
NOTE 3: To get the complete hardening feature for bugs 4639031 and 4938446,
	one needs to install the following patches:
 
	116143-02 (or newer)	ip patch
        116145-02 (or newer)    inetinit patch
        116147-02 (or newer)    genunix_policy patch
 
NOTE 4: To activate the complete hardening feature for bug 4639031 and
        4938446, you will need to edit /etc/init.d/inetinit after
        installing the inetinit patch and uncomment the following line, as
        documented within inetinit:
 
        #/usr/sbin/ndd -set /dev/ip tsol_unlab_equal_only 1
 
        This can be done just before reboot after installing the above 3
        patches, if desired.
 
NOTE 5: It is recommended to save a copy of the /etc/init.d/inetinit file
        before removing 116145-01 (or newer). The installation of this patch
        will not preserve any user modifications made to the
        /etc/init.d/inetinit file after the patch is installed.
 
        A copy of the /etc/init.d/inetinit file is preserved before the patch
        installation is complete. The user should be aware after the patch
        is removed, the pre-patch version of /etc/init.d/inetinit file will
        not be restored to the system.
 
NOTE 6: The "tsol_unlab_equal_only" switch, if set to 1 (default is 0) will
        disable some network communications that some sites depend upon,
        enable it only if desired per site policy.
 
NOTE 7:	To get the complete fix for 5044793 one needs to install the
	following patch:
 
	116147-04 (or newer)	genunix_policy patch
 
The steps below assume the patch has been put into an ADMIN_LOW
directory in /var/tmp and the patch file label is configured to ADMIN_LOW.
 
Create a role which contains the Software Installation profile
(typically admin role is assigned this profile) and whose label
range includes the ADMIN_LOW label.  All the steps in the patch
installation should be executed at ADMIN_LOW.
 
The patch should be owned by this role.
 
        1) Login as a user authorized to assume a role that contains the
        Software Installation profile; typically the admin role.
        Assume that role.
 
        To verify the profile is assigned to the role, type:
        "profiles -l | grep patchadd".
 
        The result should be:
         /usr/sbin/patchadd    uid=0, privs=all, label=admin_low
 
        2) cd into /var/tmp and install the patch file.
 
        # cd /var/tmp
        # patchadd /var/tmp/<patch-id>
 
        where <patch-id> is the patch number.
 
Special Backout Instructions:
-----------------------------
NOTE 1: Reboot the system after all the patches are removed.
 
        1) Login as a user authorized to assume a role that contains the
        Software Installation profile; typically the admin role.
        Assume that role.
 
        To verify the profile is assigned to the role, type:
        "profiles -l | grep patchrm".
 
        The result should be:
        /usr/sbin/patchrm    uid=0, privs=all, label=admin_low
 
        2) Backout patch by typing:
 
        # patchrm <patch-id>
 
        where <patch-id> is the patch number.

README -- Last modified date:  Tuesday, August 31, 2004