tnrhdb(4)
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | WARNINGS | NOTES
NAME
- tnrhdb- Trusted network remote-host database
SYNOPSIS
/etc/security/tsol/tnrhdb
DESCRIPTION
The tnrhdb database specifies which remote-host template to use for each host, including the local host, in the distributed system. tnrhdb works together with the tnrhtp(4) database in allowing the administrator to establish the security and network accreditation attributes for each host. The trusted-network software uses a network "hierarchical fallback" mechanism in looking for a tnrhdb entry for a host. The software looks first for an entry specific to the host; if it does not find one, the software falls back to searching for a matching class-C network entry, and then a class-B entry, a class-A entry, and finally a wildcard entry (IP address 0.0.0.0). In the search for a class-C, a class-B, and a class-A entry, the network environment is assumed to be subnetted on a natural (octet) boundary. (Netmasks will be supported in a future release.) If a host's IP address cannot be matched to some entry in the tnrhdb database, communication with the host is not permitted.
Each entry consists of a line of this form:
IP_address:template_name
- IP_address
-
This field is the IP address of the host or network that has the security properties specified by the template_name defined in the tnrhtp database. IP addresses are specified in the standard Internet decimal dotted notation. The IP addresses of the hosts and networks should match the IP addresses used for the hosts in the hosts(4) database.
- template_name
-
This value must be a valid template name in the tnrhtp database. See man pages for tnrhtp(4) for information on the security attributes. More than one IP address can use the same template. If this database is modified while the network is up, the changes do not take effect until after tnctl(1M) is used to update the remote-host entries. Administrators are allowed to add new entries and modify existing entries while network is up.
Errors in the format of this file can be detected by running tnchkdb, which should be run every time the database is modified or created. Refer to the tnchkdb(1M) man page for more information.
/etc/security/tsol/tnrhdb should have a sensitivity label of ADMIN_LOW with permission bits 444, owner sys, and group sys.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|---|---|
| Availability | SUNWtsr |
EXAMPLES
Example 1 A sample tnrhdb
The following example shows a host that uses template unlabeled1, a host that uses template tsol, a subnet that uses template tsol, a subnet that uses template unlabeled2; and every other host uses the default template specified in the wildcard entry.
# # Assume that templates default, tsol, unlabeled1, and unlabeled2 are # defined in the tnrhtp(4) database. # # first one is the localhost entry 192.110.120.6:tsol 192.110.120.0:tsol 192.110.120.7:unlabeled1 192.110.121.0:unlabeled2 0.0.0.0:default |
FILES
SEE ALSO
WARNINGS
For proper functioning, the primary host name must point to templates that have min_sl = ADMIN_LOW (in hex) and max_sl = ADMIN_HIGH (in hex).
Changing a template while the network is up can change the security view of an undetermined number of hosts.
NOTES
The administrator may wish to make one tnrhdb entry for each host running Trusted Solaris 7 and compatible versions, and make one subnet entry that applies to all unlabeled hosts that have the same security attributes. Then, the administrator may make a separate entry for each host that must be assigned a different set of security attributes.
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | WARNINGS | NOTES
- © 2010, Oracle Corporation and/or its affiliates