Setting Up the Global Zone in Trusted Extensions

To customize your Trusted Extensions configuration, perform the procedures in the following task map. To install the default configuration, go to Creating Labeled Zones.

How to Check and Install Your Label Encodings File

Your encodings file must be compatible with any Trusted Extensions host with which you are communicating.

• If you are familiar with encodings files, you can use the following procedure.

• If you are not familiar with encodings files, consult Trusted Extensions Label Administration for requirements, procedures, and examples.

---

Caution - You must successfully install labels before continuing, or the configuration will fail.

---

Before You Begin

You are the security administrator. The security administrator is responsible for editing, checking, and maintaining the label_encodings file. If you plan to edit the label_encodings file, make sure that the file itself is writable. For more information, see the label_encodings(4) man page.

To edit the label_encodings file, you must be in the root role.

1. Copy the label_encodings file to the disk.

   To copy from portable media, see How to Copy Files From Portable Media in Trusted Extensions.

2. In a terminal window, check the syntax of the file.
   1. Run the chk_encodings command.

      # /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file

   2. Read the output and do one of the following:
      • Resolve errors.

        If the command reports errors, the errors must be resolved before continuing. For assistance, see Chapter 3, Creating a Label Encodings File (Tasks), in Trusted Extensions Label Administration

      • Make the file the active label_encodings file.

        # cp /full-pathname-of-label-encodings-file \
         /etc/security/tsol/label.encodings.site
        # cd /etc/security/tsol
        # cp label_encodings label_encodings.tx.orig
        # cp label.encodings.site label_encodings

   ---

   Caution - Your label_encodings file must pass the Check Encodings test before you continue.

   ---

Example 4-1 Checking label_encodings Syntax on the Command Line

In this example, the administrator tests several label_encodings files by using the command line.

# /usr/sbin/chk_encodings /var/encodings/label_encodings1
No errors found in /var/encodings/label_encodings1
# /usr/sbin/chk_encodings /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

When management decides to use the label_encodings2 file, the administrator runs a semantic analysis of the file.

# /usr/sbin/chk_encodings -a /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

---> VERSION = MYCOMPANY LABEL ENCODINGS  2.0 10/10/2010

---> CLASSIFICATIONS <---

   Classification 1: PUBLIC
   Initial Compartment bits: 10
   Initial Markings bits: NONE

---> COMPARTMENTS AND MARKINGS USAGE ANALYSIS <---
...
---> SENSITIVITY LABEL to COLOR MAPPING <---
...

The administrator prints a copy of the semantic analysis for her records, then moves the file to the /etc/security/tsol directory.

# cp /var/encodings/label_encodings2 /etc/security/tsol/label.encodings.10.10.10
# cd /etc/security/tsol
# cp label_encodings label_encodings.tx.orig
# cp label.encodings.10.10.10 label_encodings

Finally, the administrator verifies that the label_encodings file is the company file.

# /usr/sbin/chk_encodings -a /etc/security/tsol/label_encodings | head -4
No errors found in /etc/security/tsol/label_encodings

---> VERSION = MYCOMPANY LABEL ENCODINGS  2.0 10/10/2010

Next Steps

You must reboot the system before creating labeled zones.

How to Configure an IPv6 CIPSO Network in Trusted Extensions

For IPv6, Trusted Extensions uses the Common Architecture Label IPv6 Security Option (CALIPSO) as the security labeling protocol. No configuration is required. If you must communicate with systems that run the obsolete Trusted Extensions IPv6 CIPSO protocol, perform this procedure. To communicate with other CALIPSO systems, do not perform this procedure.

---

Caution - A system that uses the CALIPSO for IPv6 protocol cannot communicate with any systems that use the obsolete TX IPv6 CIPSO protocol because these protocols are incompatible.

---

The obsolete Trusted Extensions IPv6 CIPSO options do not have an Internet Assigned Numbers Authority (IANA) number to use in the IPv6 Option Type field of a packet. The entry that you set in this procedure supplies a number to use on the local network.

Before You Begin

Perform this procedure if you must communicate with systems that use the proprietary yet obsolete Trusted Extensions IPv6 CIPSO security labeling option.

You are in the root role in the global zone.

• Type the following entry into the /etc/system file:

  set ip:ip6opt_ls = 0x0a

Troubleshooting

If error messages during boot indicate that your IPv6 CIPSO configuration is incorrect, correct the entry. For example, a misspelled entry produces the following message: sorry, variable 'ip6opt_1d' is not defined in the 'ip' module. Verify that the entry is spelled correctly.

• Correct the entry.

• Verify that the system has been rebooted after adding the correct entry to the /etc/system file.

Next Steps

You must reboot the system before creating labeled zones.

How to Configure a Different Domain of Interpretation

If your site does not use a Domain of Interpretation (DOI) of 1, you must modify the doi value in every security template. For more information, see Domain of Interpretation in Security Templates.

Before You Begin

You are in the root role in the global zone.

• Specify your DOI value in the default security templates.

  # tncfg -t cipso set doi=n
  # tncfg -t admin_low set doi=n

  ---

  Note - Every security template must specify your DOI value.

  ---

See Also

• Network Security Attributes in Trusted Extensions

• How to Create Security Templates

Next Steps

If you plan to use LDAP, go to Chapter 5, Configuring LDAP for Trusted Extensions (Tasks). You must configure LDAP before you create labeled zones.

Otherwise, continue with Creating Labeled Zones.