Setting Up the Global Zone in Trusted Extensions

To customize your Trusted Extensions configuration, perform the procedures in the following task map. To install the default configuration, go to Creating Labeled Zones.

How to Check and Install Your Label Encodings File

Your encodings file must be compatible with any Trusted Extensions host with which you are communicating.

• If you are familiar with encodings files, you can use the following procedure.

• If you are not familiar with encodings files, consult Trusted Extensions Label Administration for requirements, procedures, and examples.

---

Caution - You must successfully install labels before continuing, or the configuration will fail.

---

Before You Begin

You are the security administrator. The security administrator is responsible for editing, checking, and maintaining the label_encodings file. If you plan to edit the label_encodings file, make sure that the file itself is writable. For more information, see the label_encodings(4) man page.

To edit the label_encodings file, you must be in the root role.

1. Copy the label_encodings file to the disk.

   To copy from portable media, see How to Copy Files From Portable Media in Trusted Extensions.

2. In a terminal window, check the syntax of the file.
   1. Run the chk_encodings command.

      # /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file

   2. Read the output and do one of the following:
      • Resolve errors.

        If the command reports errors, the errors must be resolved before continuing. For assistance, see Chapter 3, Creating a Label Encodings File (Tasks), in Trusted Extensions Label Administration

      • Make the file the active label_encodings file.

        # cp /full-pathname-of-label-encodings-file \ /etc/security/tsol/label.encodings.site
        # cd /etc/security/tsol
        # cp label_encodings label_encodings.tx.orig
        # cp label.encodings.site label_encodings

   ---

   Caution - Your label_encodings file must pass the Check Encodings test before you continue.

   ---

Example 4-1 Checking label_encodings Syntax on the Command Line

In this example, the administrator tests several label_encodings files by using the command line.

# /usr/sbin/chk_encodings /var/encodings/label_encodings1
No errors found in /var/encodings/label_encodings1
# /usr/sbin/chk_encodings /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

When management decides to use the label_encodings2 file, the administrator runs a semantic analysis of the file.

# /usr/sbin/chk_encodings -a /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

---> VERSION = MYCOMPANY LABEL ENCODINGS  2.0 10/10/2010

---> CLASSIFICATIONS <---

   Classification 1: PUBLIC
   Initial Compartment bits: 10
   Initial Markings bits: NONE

---> COMPARTMENTS AND MARKINGS USAGE ANALYSIS <---
...
---> SENSITIVITY LABEL to COLOR MAPPING <---
...

The administrator prints a copy of the semantic analysis for her records, then moves the file to the /etc/security/tsol directory.

# cp /var/encodings/label_encodings2 /etc/security/tsol/label.encodings.10.10.10
# cd /etc/security/tsol
# cp label_encodings label_encodings.tx.orig
# cp label.encodings.10.10.10 label_encodings

Finally, the administrator verifies that the label_encodings file is the company file.

# /usr/sbin/chk_encodings -a /etc/security/tsol/label_encodings | head -4
No errors found in /etc/security/tsol/label_encodings

---> VERSION = MYCOMPANY LABEL ENCODINGS  2.0 10/10/2010

Next Steps

You must reboot the system before creating labeled zones.

How to Enable IPv6 Networking in Trusted Extensions

---

Caution - The txzonemgr script does not support IPv6 address syntax. Therefore, you use the tncfg command to add IPv6 hosts to your Trusted Extensions network. For examples, see Trusted Network Fallback Mechanism and Example 16-11.

---

CIPSO options do not have an Internet Assigned Numbers Authority (IANA) number to use in the IPv6 Option Type field of a packet. The entry that you set in this procedure supplies a number to use on the local network until IANA assigns a number for this option. Trusted Extensions disables IPv6 networking if this number is not defined.

To enable an IPv6 network in Trusted Extensions, you must add an entry in the /etc/system file.

Before You Begin

You are in the root role in the global zone.

• Type the following entry into the /etc/system file:

  set ip:ip6opt_ls = 0x0a

Troubleshooting

• If error messages during boot indicate that your IPv6 configuration is incorrect, correct the entry:

  • Verify that the entry is spelled correctly.

  • Verify that the system has been rebooted after adding the correct entry to the /etc/system file.

• If you add Trusted Extensions to an Oracle Solaris system that currently has IPv6 enabled, but you fail to add the IP entry in /etc/system, you see the following error message: t_optmgmt: System error: Cannot assign requested address time-stamp

Next Steps

You must reboot the system before creating labeled zones.

How to Configure the Domain of Interpretation

All communications to and from a system that is configured with Trusted Extensions must follow the labeling rules of a single CIPSO Domain of Interpretation (DOI). The DOI that is used in each message is identified by an integer number in the CIPSO IP Option header. By default, the DOI in Trusted Extensions is 1.

If your site does not use a DOI of 1, you must modify the doi value in every security template.

Before You Begin

You are in the root role in the global zone.

• Specify your DOI value in the default security templates.

  # tncfg -t cipso set doi=n
  # tncfg -t admin_low set doi=n

  ---

  Note - Every security template must specify your DOI value.

  ---

See Also

• Network Security Attributes in Trusted Extensions

• How to Create Security Templates

Next Steps

If you plan to use LDAP, go to Chapter 5, Configuring LDAP for Trusted Extensions (Tasks). You must configure LDAP before you create labeled zones.

Otherwise, continue with Creating Labeled Zones.