tnidb(4)

NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | WARNINGS

NAME

tnidb- Trusted network interface-control database

SYNOPSIS

/etc/security/tsol/tnidb 

DESCRIPTION

The tnidb database specifies the accreditation range and default security attributes for each network interface. Network traffic is not permitted for any interface, including the loopback interface, unless the interface has a valid entry.

Each entry in the interface database consists of one long line, with fields of the entry separated by semicolons (;):

interface_name:field1;field2;field3;fieldn;

A pound sign (#) as the first character of a line indicates a comment line, which is ignored. Each entry consists of a line of this form:

interface_name:min_sl=value;max_sl=value;def_label=value;def_cl=value; 
def_uid=value;def_gid=value;forced_privs=value;

---

Note -

The width of this man page prevents showing the foregoing entry on a single line. However, each entry in the database must be a single line.

---

The first field for each entry is the interface name. Each entry must contain valid specifications for the accreditation range of the interface for all enforceable security attributes. All fields are mandatory; each entry contains these fields:

min_sl, max_sl

Specify the accreditation range of the interface. Only packets with a sensitivity label within the specified accreditation range are allowed into or out of the interface. For a configuration that allows for traffic at all labels, the range should be ADMIN_LOW (in hex) to ADMIN_HIGH (in hex).

def_label

Apply this default label to a packet received from an approved remote host that does not support mandatory access control. Under these conditions, all packets imported from the interface that are not labeled with a sensitivity label or information label are assigned this default label. If an information label is not specified, ADMIN_LOW will be used.

def_cl

Apply this default clearance to a packet received from an approved remote host that does not support mandatory access control.

def_uid, def_gid

Apply this default effective user ID and default effective group ID to a packet. Specify the def_uid and def_gid fields by using the user ID name and group ID names, respectively.

forced_privs

Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. The format of the privilege set is:

forced_privs=priv[,priv][...]|none|empty|all 

where

priv

The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)

none

Apply no privileges. (forced_privs=none)

empty

Take the default from tnidb. (forced_privs=empty)

all

Apply all privileges. (forced_privs=all)

The default entries for a particular host specified in the tnrhdb(4) database take precedence over default entries specified for an interface in this database, and the specified values are applied only on incoming packets that do not have any attributes.

All labels are specified in their hex format.

If this database is modified while the network is up, the changes do not take effect until tnctl(1M) updates the interface entries.

Errors in the format of this file can be detected by tnchkdb(1M), which should be run on each database once it has been created or modified. (Refer to the tnchkdb man page for more information.)

/etc/security/tsol/tnidb should have a sensitivity label of ADMIN_LOW with permission bits 444, owner sys, and group sys.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWtsr

EXAMPLES

---

Example 1 Sample interface entries




For the sake of clarity on this man page, examples are shown using a continuation character (\). In the database file, however, the backslash is not permitted because each entry is made on a single line.

# # Sample interface entries. # lo0:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffff;\ def_label=0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff;\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_uid=nobody;\ def_gid=nobody;\ forced_privs=none; # Note that default values are not necessary for lookback interfaces # because ALL attributes are to accompany the data, and default values # are only for unlabeled hosts. # # le0:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_label=0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff;\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_uid=nobody;\ def_gid=nobody;\ forced_privs=none; le1:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_label=[0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff];\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_uid=nobody;\ def_gid=nobody;\ forced_privs=none;

This sample accreditation range for interfaces le0 and le1 specifies that only packets with a sensitivity label that dominates ADMIN_LOW and is dominated by TS NATIONALITY: CNTRY1/CNTRY2 are allowed into or out of the interface through those interfaces.

Note that interpretations vary by definitions in the label_encodings(4) file.

---

FILES

/etc/security/tsol/tnidb

Trusted network interface-control database

SEE ALSO

Trusted Solaris 7 Reference Manual

tnd(1M), tnctl(1M), tnchkdb(1M), tnrhdb(4)

SunOS 5.7 Reference Manual

attributes(5)

WARNINGS

For proper functioning, the loopback and primary interface need the min_sl to be ADMIN_LOW (in hex) and the max_sl to be ADMIN_HIGH (in hex).

Trusted Solaris 7  Last Revised 10 Jul 1998

NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | WARNINGS