To Ensure Labels Map to CIPSO Labels

See the discussion in "Cautions About Mapping Labels to CIPSO Labels".

1. Assume the Security Administrator role on the forwarding host and go to an ADMIN_LOW workspace.

   See "Assuming a Role and Working in a Role Workspace" in Trusted Solaris Administrator's Procedures, if needed.

2. Use the Admin Editor action to open the /etc/system file for editing.

   See "Accessing the Administration Tools" in Trusted Solaris Administrator's Procedures, if needed.

3. Add a line to set the tsol_admin_high_to_cipso flag equal to 1.

   set tsolsys:tsol_admin_high_to_cipso=1

   The default in the kernel, which is not shown in the system file, is set to 0.

4. Write and quit the file.

   :wq

5. Make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239.

   This step ensures that no label is indistinguishable from ADMIN_HIGH after mapping.

6. Make sure that no user label has compartments numbered above 239.

   This step ensures that all labels are mappable to CIPSO labels.