NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | NOTES | WARNINGS
/etc/security/tsol/tnidb
The tnidb database specifies the accreditation range and default security attributes for each network interface. The following set of default attributes applies to any network interface that does not have an entry in this file:
min_sl=ADMIN_LOW;max_SL=ADMIN_HIGH;def_label=ADMIN_LOW; def_cl=ADMIN_HIGH;forced_privs=empty;
Each entry in the interface database consists of one long line, with fields of the entry separated by semicolons (;):
interface_name:field1;field2;field3;fieldn;
A pound sign (#) as the first character of a line indicates a comment line, which is ignored. Each entry consists of a line of this form:
interface_name:min_sl=value;max_sl=value;def_label=value; def_cl=value;forced_privs=value;
The width of this man page prevents showing the foregoing entry on a single line. However, each entry in the database must be a single line.
The first field for each entry is the interface name. Each entry must contain valid specifications for the accreditation range of the interface for all enforceable security attributes. All fields are mandatory; each entry contains these fields:
Specify the accreditation range of the interface. Only packets with a sensitivity label within the specified accreditation range are allowed into or out of the interface. For
a configuration that allows for traffic at all labels, the range should be admin_low
(in hex) to admin_high
(in hex).
Apply this default label to a packet received from an approved remote host that does not support mandatory access control. Under these conditions, all packets imported from the interface that are not labeled with a sensitivity label are assigned this default label.
Apply this default clearance to a packet received from an approved remote host that does not support mandatory access control.
Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. The format of the privilege set is:
forced_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)
Apply no privileges. (forced_privs=none)
Take the default from tnidb. (forced_privs=empty)
Apply all privileges. (forced_privs=all)
Any default label, clearance, and the forced privilege values specified in trusted network databases apply only on incoming packets that do not have the attributes.
Any values for a remote host specified through tnrhdb(4) or tnrhtp(4) entries take precedence over values specified in this database for the network interface through which the remote host is accessed.
All labels are specified in their hex format.
If this database is modified while the network is up, the changes do not take effect until tnctl(1M) updates the interface entries.
Errors in the format of this file can be detected by tnchkdb(1M), which should be run on each database once it has been created or modified. (Refer to the tnchkdb man page for more information.)
/etc/security/tsol/tnidb should have a sensitivity label of admin_low
with permission bits 444, owner sys, and group sys.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWtsr |
For the sake of clarity on this man page, examples are shown using a continuation character (\). In the database file, however, the backslash is not permitted because each entry is made on a single line.
# # Sample interface entries. # lo0:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ffffffff;\ def_label=0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff;\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ forced_privs=none; # Note that default values are not necessary for lookback interfaces # because ALL attributes are to accompany the data, and default values # are only for unlabeled hosts. # # le0:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_label=0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff;\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ forced_privs=none; le1:min_sl=0x00000000000000000000000000000000000000000000000 000000000000000000000;\ max_sl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ def_label=[0x00040c0000000000000000000000000000000000000000 00000000ffffffffffffff];\ def_cl=0x00060000000000000000000000000000000000000000000 0000000ffffffffffffff;\ forced_privs=none; |
This sample accreditation range for interfaces le0 and le1 specifies that only packets with a sensitivity label that dominates admin_low
and is dominated by TS NATIONALITY: CNTRY1/CNTRY2 are allowed
into or out of the interface through those interfaces.
Note that interpretations vary by definitions in the label_encodings(4) file.
The colon (:) character is a database separation character, so it must be escaped with a backslash (\) if used as part of a data field, as in fe80\:\:a00\:20ff\:fea0\:21f7.
For proper functioning, the loopback and primary interface need the min_sl to be admin_low
(in hex) and the max_sl to be admin_high
(in hex).
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | SEE ALSO | NOTES | WARNINGS