NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | NOTES | WARNINGS
/etc/security/tsol/tnidb
The tnidb database specifies the accreditation range and default security attributes for each network interface. The following set of default attributes applies to any network interface that does not have an entry in this file:
min_sl=ADMIN_LOW;max_SL=ADMIN_HIGH;def_label=ADMIN_LOW; def_cl=ADMIN_HIGH;forced_privs=empty;
Each entry in the interface database consists of one long line, with fields of the entry separated by semicolons (;):
interface_name:field1;field2;field3;fieldn;
A pound sign (#) as the first character of a line indicates a comment line, which is ignored. Each entry consists of a line of this form:
interface_name:min_sl=value;max_sl=value;def_label=value; def_cl=value;forced_privs=value;
The width of this man page prevents showing the foregoing entry on a single line. However, each entry in the database must be a single line.
The first field for each entry is the interface name. Each entry must contain valid specifications for the accreditation range of the interface for all enforceable security attributes. All fields are mandatory; each entry contains these fields:
Specify the accreditation range of the interface. Only packets with a sensitivity label within the specified accreditation range are allowed into or out of the interface. For a configuration that allows for
traffic at all labels, the range should be admin_low
(in hex) to admin_high
(in hex).
Apply this default label to a packet received from an approved remote host that does not support mandatory access control. Under these conditions, all packets imported from the interface that are not labeled with a sensitivity label are assigned this default label.
Apply this default clearance to a packet received from an approved remote host that does not support mandatory access control.
Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. The format of the privilege set is:
forced_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)
Apply no privileges. (forced_privs=none)
Apply no privileges. (forced_privs=empty)
Apply all privileges. (forced_privs=all)
Any default label, clearance, and the forced privilege values specified in trusted network databases apply only on incoming packets that do not have the attributes.
Any values for a remote host specified through tnrhdb(4) or tnrhtp(4) entries take precedence over values specified in this database for the network interface through which the remote host is accessed.
All labels are specified in their hex format.
If this database is modified while the network is up, the changes do not take effect until tnctl(1M) updates the interface entries.
Errors in the format of this file can be detected by tnchkdb(1M), which should be run on each database once it has been created or modified. (Refer to the tnchkdb man page for more information.)
The /etc/security/tsol/tnidb file is protected at label admin_low
with permission bits 444, owner root, and group sys.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWtsr |
For the sake of clarity on this man page, examples are shown using a continuation character (\). In the database file, however, the backslash is not permitted because each entry is made on a single line.
# # Sample interface entries. # lo0:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffff;\ def_label=0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff;\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ forced_privs=none; # Note that default values are not necessary for lookback interfaces # because ALL attributes are to accompany the data, and default values # are only for unlabeled hosts. # # le0:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_label=0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff;\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ forced_privs=none; le1:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_label=[0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff];\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ forced_privs=none; |
This sample accreditation range for interfaces le0 and le1 specifies that only packets with a sensitivity label that dominates admin_low
and is dominated by TS NATIONALITY: CNTRY1/CNTRY2 are allowed
into or out of the interface through those interfaces.
Note that interpretations vary by definitions in the label_encodings(4) file.
A physical network interface, for example hme0, can be associated with multiple logical interfaces, for example hme0:1, hme0:2, each of which can have a database entry.
Since the colon (:) character is a database separation character, the logical interface names such as hme0:1 must be escaped with a backslash (\) , as in hme0\:1.
A Trusted Solaris system acting as an intermediate router always uses the default label of the physical interface when applying a default label to a packet. This is true even if the physical interface, for example hme0, is associated with multiple logical interfaces, for example hme0:1 and hme0:2, each of which may have a different default label. In all other cases, the Trusted Solaris system uses the default label of the correct logical interface.
For proper functioning, the loopback and primary interface need the min_sl to be admin_low
(in hex) and the max_sl to be admin_high
(in hex).
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | NOTES | WARNINGS