See the discussion in "Cautions About Mapping Labels to CIPSO Labels".
Assume the Security Administrator role on the forwarding host and go to an ADMIN_LOW
workspace.
See "Assuming a Role and Working in a Role Workspace" in Trusted Solaris Administrator's Procedures, if needed.
Use the Admin Editor action to open the /etc/system file for editing.
See "Accessing the Administration Tools" in Trusted Solaris Administrator's Procedures, if needed.
Add a line to set the tsol_admin_high_to_cipso flag equal to 1.
set tsolsys:tsol_admin_high_to_cipso=1 |
The default in the kernel, which is not shown in the system file, is set to 0.
Write and quit the file.
:wq |
Make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239.
This step ensures that no label is indistinguishable from ADMIN_HIGH
after mapping.
Make sure that no user label has compartments numbered above 239.
This step ensures that all labels are mappable to CIPSO labels.