Before you label remote hosts and networks, review the provided security templates and ensure that you can reach the remote hosts and networks. For instructions, see the following:
View the security templates. See How to View Security Templates.
Determine if your site requires customized security templates. See Determining If You Need Site-Specific Security Templates.
Add systems and networks to the trusted network. See How to Add Hosts to the System's Known Network.
You can view the list of security templates and the contents of each template. The examples shown in this procedure use the default security templates.
# tncfg list cipso admin_low adapt netif
# tncfg -t cipso info name=cipso host_type=cipso doi=1 min_label=ADMIN_LOW max_label=ADMIN_HIGH host=127.0.0.1/32
The 127.0.0.1/32 entry in the preceding cipso security template identifies this system as labeled. When a peer assigns this system to the peer's remote host template with the host_type of cipso, the two systems can exchange labeled packets.
# tncfg -t admin_low info name=admin_low host_type=unlabeled doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH host=0.0.0.0/0
The 0.0.0.0/0 entry in the preceding admin_low security template enables all hosts that are not explicitly assigned to a security template to contact this system. These hosts are recognized as unlabeled.
The advantage of the 0.0.0.0/0 entry is that all hosts that this system requires at boot time, such as servers and gateways, can be found.
The disadvantage of the 0.0.0.0/0 entry is that any host on this system's network can contact this system. To restrict which hosts can contact this system, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.
# tncfg -t adapt info name=adapt host_type=adapt doi=1 min_label=ADMIN_LOW max_label=ADMIN_HIGH host=0.0.0.0/0
An adapt template identifies an adaptive host, that is, an untrusted system that cannot have a default label. Instead, its label is assigned by its receiving trusted system. The label is derived from the default label of the IP interface that receives the packet, as specified by the labeled system's netif template.
# tncfg -t netif info name=netif host_type=netif doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH host=127.0.0.1/32
A netif template specifies a trusted local network interface, not a remote host. The default label of a netif template must equal the label of every zone with a dedicated network interface whose IP address matches a host address in that template. Additionally, the lower link that corresponds to the matching zone interface can be assigned only to other zones that share the same label.
After you add hosts and groups of hosts to a system's /etc/hosts file, the hosts are known to the system. Only known hosts can be added to a security template.
Before You Begin
You are in the root role in the global zone.
# pfedit /etc/hosts ... 192.0.2.12 ahost
# pfedit /etc/hosts ... 192.0.2.0 2-network