When a template assigned to a computer is specified with one of the CIPSO label indicators, the trusted networking software derives a CIPSO label from the message's label and inserts the CIPSO label into the IP options portion of packets sent to that computer. For a label to map to and from a CIPSO label, the classification value must be less than or equal to 255 and all compartment bit numbers must be less than or equal to 239.
By default, a message to a CIPSO-identified host is dropped if it is sent with a sensitivity label that cannot be mapped to a CIPSO label. The ADMIN_HIGH
label is too big to map to a CIPSO label, so, by default, a message sent at the ADMIN_HIGH
label to a CIPSO-identified host is always dropped. To avoid this, the Security Administrator role can add the tsol_admin_high_to_cipso
switch set equal to 1 in the /etc/system file. Setting this switch causes the label
on a packet to be mapped to a valid CIPSO label with the highest classification and all compartments turned on, instead of being dropped. See "To Change Configurable Kernel Switch Settings" under "Changing and
Accessing Security Information (Tasks)" in Trusted Solaris Administrator's Procedures
If the switch is set so that the ADMIN_HIGH
label is mapped, make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239. Otherwise, the user label would be indistinguishable from ADMIN_HIGH
after mapping.
To ensure that all labels are mappable, be sure that no user label has compartments numbered above 239.