Trusted Solaris Operating System - Technical FAQs
QuestionHow can I tell if a label can be mapped to a CIPSO label? According to the Trusted Solaris Administrator's Procedures manual, a message is dropped if it is "too big" to map to a CIPSO label. For example, ADMIN_HIGH is too big. AnswerFor a label to map to and from a CIPSO label, the classification value must be less than or equal to 255. All compartment bit numbers must be less than or equal to 239. Sensitivity Label Limits for Mapping with CIPSO Labels
Because an ADMIN_HIGH label exceeds these limits, packets with the ADMIN_HIGH label are dropped by default. If ADMIN_HIGH labels need to be sent across network interfaces, the tsol_admin_high_to_cipso kernel flag should be set to 1 on all machines involved. This can be set in the /etc/system file with:
With this flag set, ADMIN_HIGH is mapped to a label that has a classification value of 255 with all compartment bits from 0 to 239. NOTE: If you set up ADMIN_HIGH to be mapped, make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239. Otherwise, the user label would be indistinguishable from ADMIN_HIGH after mapping. Related DocumentationSee the Sun reference for labels: the Trusted Solaris Label Administration manual. Applies to Trusted Solaris Release2.5, 2.5.1, 7, 8 |
| |||||||||||||||||||||||||||||||||||||||||
 | | |||||||||||||||||||||||||||||||||||||||||