Cautions About Mapping Labels to CIPSO Labels

When a template assigned to a computer is specified with one of the CIPSO label indicators, the trusted networking software derives a CIPSO label from the message's label and inserts the CIPSO label into the IP options portion of packets sent to that computer. For a label to map to and from a CIPSO label, the classification value must be less than or equal to 255 and all compartment bit numbers must be less than or equal to 239.

By default, a message to a CIPSO-identified host is dropped if it is sent with a sensitivity label that cannot be mapped to a CIPSO label. The ADMIN_HIGH label is too big to map to a CIPSO label, so, by default, a message sent at the ADMIN_HIGH label to a CIPSO-identified host is always dropped. To avoid this, the Security Administrator role can add the tsol_admin_high_to_cipso switch set equal to 1 in the /etc/system file. Setting this switch causes the label on a packet to be mapped to a valid CIPSO label with the highest classification and all compartments turned on, instead of being dropped. See "To Change Configurable Kernel Switch Settings" under "Changing and Accessing Security Information (Tasks)" in Trusted Solaris Administrator's Procedures

If the switch is set so that the ADMIN_HIGH label is mapped, make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239. Otherwise, the user label would be indistinguishable from ADMIN_HIGH after mapping.

To ensure that all labels are mappable, be sure that no user label has compartments numbered above 239.