Patch-ID# 116145-02
Keywords: ping equal label unlabeled hardened network
Synopsis: Trusted_Solaris_8_HW_12/02_x86: inetinit patch
Date: Nov/05/2003


Install Requirements: Additional instructions may be listed below                      
                      Reboot after installation                      
                      
Solaris Release: Trusted_Solaris_8_HW_12/02_x86

SunOS Release: Trusted_Solaris_8_HW_12/02_x86

Unbundled Product: 

Unbundled Release: 

Xref: This patch available for SPARC as patch 116144

Topic: Trusted_Solaris_8_HW_12/02_x86: inetinit patch

Relevant Architectures: i386

BugId's fixed with this patch: 4639031 4894365 4938446

Changes incorporated in this version: 4894365 4938446

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

/etc/init.d/inetinit
/etc/rc0.d/K43inet
/etc/rc1.d/K43inet
/etc/rc2.d/S69inet
/etc/rcS.d/K43inet

Problem Description:

4894365 Request telnet not send - SYN/ACK/Rst downlabel during improper telnet
4938446 Expand "tsol_ping_equal_only" to "tsol_unlab_equal_only", add more protocols.
 
(from 116145-01)
 
4639031 ping on restricted interfaces can ping to higher label & get response

Patch Installation Instructions:
--------------------------------
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Trusted Solaris. Any other special or non-generic
installation instructions should be described below as special instructions.
 
For additional examples please see the appropriate man pages.

Special Install Instructions:
-----------------------------
NOTE 1:	Reboot the system after all the patches are installed.
 
NOTE 2: The tsol_ping_equal_only ndd switch in patches 116143-01
        and 116145-01 have been renamed to tsol_unlab_equal_only.
 
NOTE 3: To get the complete hardening feature for bugs 4639031 and 4938446, 
	one needs to install the following patches:
 
        116143-02 (or newer)    ip patch
	116145-02 (or newer)	inetinit patch
        116147-02 (or newer)    genunix_policy patch
 
NOTE 4: To activate the complete hardening feature for bug 4639031 and
        4938446, you will need to edit /etc/init.d/inetinit after installing
        the inetinit patch and uncomment the following line, as documented
        within inetinit:
 
        #/usr/sbin/ndd -set /dev/ip tsol_unlab_equal_only 1
 
        This can be done just before reboot after installing the above
        3 patches, if desired.
 
NOTE 5: It is recommended to save a copy of the /etc/init.d/inetinit file
        before removing 116145-01 (or newer). The installation of this patch
        will not preserve any user modifications made to the
        /etc/init.d/inetinit file after the patch is installed.
 
        A copy of the /etc/init.d/inetinit file is preserved before the patch
        installation is complete. The user should be aware after the patch
        is removed, the pre-patch version of /etc/init.d/inetinit file will
        not be restored to the system.
 
NOTE 6: To get the complete hardening feature for bugs 4894365 and 4938446,
        one needs to install this patch and the following patches:
 
        116143-02 (or newer)    ip patch
	116145-02 (or newer)	inetinit patch
        116147-02 (or newer)    genunix_policy patch
        116406-01 (or newer)    tcp patch
 
NOTE 7: To activate the complete hardening feature for bug 4894365: 
 
        After installing 116145-02 (or newer), update /etc/init.d/inetinit
        by removing the pound sign (#) from the ndd entry:
 
        #/usr/sbin/ndd -set /dev/tcp tcp_strict_syn_policy 1
 
        This file may be updated after all 4 patches have been installed:
 
        116143-02 (or newer)    ip patch
        116145-02 (or newer)    inetinit patch
        116147-02 (or newer)    genunix_policy patch
        116406-01 (or newer)    tcp patch
 
NOTE 8: The "tsol_unlab_equal_only" switch, if set to 1 (default is 0) will
        disable some network communications that some sites depend upon,
        enable it only if desired per site policy.
 
 
The steps below assume the patch has been put into an ADMIN_LOW
directory in /var/tmp and the patch file label is configured to ADMIN_LOW.
 
Create a role which contains the Software Installation profile
(typically admin role is assigned this profile) and whose label
range includes the ADMIN_LOW label.  All the steps in the patch
installation should be executed at ADMIN_LOW.
 
The patch should be owned by this role.
 
        1) Login as a user authorized to assume a role that contains the
        Software Installation profile; typically the admin role.
        Assume that role.
 
        To verify the profile is assigned to the role, type:
        "profiles -l | grep patchadd".
 
        The result should be:
         /usr/sbin/patchadd    uid=0, privs=all, label=admin_low
 
        2) cd into /var/tmp and install the patch file.
 
        # cd /var/tmp
        # patchadd /var/tmp/<patch-id>
 
 
        where <patch-id> is the patch number.
 
Special Backout Instructions:
-----------------------------
NOTE 1: Reboot the system after all the patches are removed.
 
        1) Login as a user authorized to assume a role that contains the
        Software Installation profile; typically the admin role.
        Assume that role.
 
        To verify the profile is assigned to the role, type:
        "profiles -l | grep patchrm".
 
        The result should be:
        /usr/sbin/patchrm    uid=0, privs=all, label=admin_low
 
        2) Backout patch by typing:
 
        # patchrm <patch-id>

README -- Last modified date:  Wednesday, November 5, 2003