Patch-ID# 116147-04 Keywords: security ping equal label unlabeled hardened network sunscreen panic Synopsis: Trusted_Solaris_8_HW_12/02_x86: genunix_policy patch Date: Aug/31/2004 Install Requirements: Reboot after installation Solaris Release: Trusted_Solaris_8_HW_12/02_x86 SunOS Release: Trusted_Solaris_8_HW_12/02_x86 Unbundled Product: Unbundled Release: Xref: This patch available for SPARC as patch 116146 Topic: Trusted_Solaris_8_HW_12/02_x86: genunix_policy patch Relevant Architectures: i386 BugId's fixed with this patch: 4639031 4894365 4915227 4920718 4931908 4932041 4934078 4938446 4965212 5039306 5044793 Changes incorporated in this version: 5044793 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 116143-02 or greater Obsoleted by: Files included with this patch: /kernel/tsol_policy/genunix_policy /usr/include/sys/fs_secpolicy.h /usr/include/sys/net_secpolicy.h /usr/include/sys/pathname.h /usr/include/sys/tsol/tnet.h /usr/include/sys/vnode_secpolicy.h Problem Description: 5044793 Trusted Solaris 8 can deadlock in the network stack (from 116147-03) 4931908 df -k ignores mac 4932041 proc tools produce revealing error messages to unprivileged subjects 4934078 users shouldn't trigger nfs net traffic for file systems they cannot access 4965212 Order of checking in tnrh_credchk complicates priv debugging 5039306 suser binaries should not be included in patches, incl. genunix_policy patches (from 116147-02) 4894365 Request telnet not send - SYN/ACK/Rst downlabel during improper telnet 4915227 problems accessing dominated nfs file systems 4920718 Installation fails with panic on Trusted Solaris 8 HW 12/02 4938446 Expand "tsol_ping_equal_only" to "tsol_unlab_equal_only", add more protocols. (from 116147-01) 4639031 ping on restricted interfaces can ping to higher label & get response Patch Installation Instructions: -------------------------------- Refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Trusted Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are installed. NOTE 2: The tsol_ping_equal_only ndd switch in patches 116143-01 and 116145-01 has been renamed to tsol_unlab_equal_only. NOTE 3: To get complete hardening feature for bugs 4639031 and 4938446, one needs to install the following patches: 116143-02 (or newer) ip patch 116145-02 (or newer) inetinit patch 116147-02 (or newer) genunix_policy patch NOTE 4: To activate the complete hardening feature for bug 4639031 and 4938446, you will need to edit /etc/init.d/inetinit after installing the inetinit patch and uncomment the following line, as documented within inetinit: #/usr/sbin/ndd -set /dev/ip tsol_unlab_equal_only 1 This can be done just before reboot after installing the above 3 patches, if desired. NOTE 5: It is recommended to save a copy of the /etc/init.d/inetinit file before removing 116145-01 (or newer). The installation of this patch will not preserve any user modifications made to the /etc/init.d/inetinit file after the patch is installed. A copy of the /etc/init.d/inetinit file is preserved before the patch installation is complete. The user should be aware after the patch is removed, the pre-patch version of /etc/init.d/inetinit file will not be restored to the system. NOTE 6: To get the complete hardening feature for bugs 4894365 and 4915227, one needs to install the following patches: 116143-02 (or newer) ip patch 116145-02 (or newer) inetinit patch 116147-02 (or newer) genunix_policy patch 116406-01 (or newer) tcp patch NOTE 7: To activate the complete hardening feature for bug 4894365: After installing 116145-02 (or newer), update /etc/init.d/inetinit by removing the pound sign (#) from the ndd entry: #/usr/sbin/ndd -set /dev/tcp tcp_strict_syn_policy 1 This file may be updated after all 4 patches have been installed: 116143-02 (or newer) ip patch 116145-02 (or newer) inetinit patch 116147-02 (or newer) genunix_policy patch 116406-01 (or newer) tcp patch NOTE 8: The "tsol_unlab_equal_only" switch, if set to 1 (default is 0) will disable some network communications that some sites depend upon, enable it only if desired per site policy. NOTE 9: To get the complete fix for bug 4920718 one needs to install the following patches: 116147-02 (or newer) genunix_policy patch 116404-01 (or newer) device_policy patch NOTE 10:To get the complete fix for bug 5044793 one needs to install the following patch: 116143-03 (or newer) ip patch The steps below assume the patch has been put into an ADMIN_LOW directory in /var/tmp and the patch file label is configured to ADMIN_LOW. Create a role which contains the Software Installation profile (typically admin role is assigned this profile) and whose label range includes the ADMIN_LOW label. All the steps in the patch installation should be executed at ADMIN_LOW. The patch should be owned by this role. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchadd". The result should be: /usr/sbin/patchadd uid=0, privs=all, label=admin_low 2) cd into /var/tmp and install the patch file. # cd /var/tmp # patchadd /var/tmp/ where is the patch number. Special Backout Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are removed. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchrm". The result should be: /usr/sbin/patchrm uid=0, privs=all, label=admin_low 2) Backout patch by typing: # patchrm where is the patch number. README -- Last modified date: Tuesday, August 31, 2004