Trusted Extensions Label Administration

Exit Print View

 
Updated: July 2014
 
 

Encodings Files From Trusted Extensions

Oracle Solaris provides the following sample label_encodings files in the /etc/security/tsol directory. These samples can be modified to meet your site requirements.

label_encodings

Is installed by Trusted Extensions software as the default. This file uses commercial labels, such as Confidential: Need to Know.

label_encodings.example

Is similar to the example in Appendix A, Customized Encodings File for SecCompany.

The introduction to the appendix describes the label components in the file. Chapter 6, Example of Planning an Organization's Encodings File describes each step for creating this file.

label_encodings.gfi.single

Is the U.S. government single-level file.

label_encodings.single

Is Oracle Solaris's version of the U.S. government single-level file. The color assignments are different.

label_encodings.gfi.multi

Is the U.S. government multilevel file.

label_encodings.multi file

Is Oracle Solaris's version of the U.S. government multilevel file. The combinations are less restricted, the minimum clearance is higher, the default user label is lower, and the colors are different.

Alternatively, you can build a label_encodings file from scratch. The syntax and structure of the label_encodings file is provided in Encodings File Syntax.

Default label_encodings File

By default, the /etc/security/tsol/label_encodings is installed with the following contents:

ACCREDITATION RANGE:
classification= PUB; all compartment combinations valid;

classification= SBX; all compartment combinations valid;

classification= CNF; all compartment combinations valid except:
CNF

minimum clearance= PUB;
minimum sensitivity label= PUB;
minimum protect as classification= PUB;

    The ACCREDITATION RANGE definition restricts the user to the following label:

  • PUBLIC is defined as the lowest classification.

  • CONFIDENTIAL is defined as a higher classification.

  • SANDBOX is defined as the highest classification.

  • PUBLIC is defined as the minimum clearance.

  • PUBLIC is defined as the minimum sensitivity label.

  • PUBLIC is defined as the minimum “Protect As” classification.

The Classifications section of the default file is illustrated in the following figure.

Figure 2-2  Classifications in the Default label_encodings File

image:Graphic shows the CLASSIFICATIONS section of the label_encodings file in text and in a picture.

The Compartments section of the file is illustrated in the following figure.

Figure 2-3  Compartments in the Default label_encodings File

image:Graphic shows the SENSITIVITY LABELS: WORDS: section of the label_encodings file in text and in a picture.

Differences Between Simplified GFI Label Encodings Files

Oracle Solaris provides two government-furnished files, label_encodings.gfi.single and label_encodings.gfi.multi. The label_encodings.gfi.single file is a single-level file, and the label_encodings.gfi.multi file is a multilevel version of the single-level file. The files also differ in the settings in the ACCREDITATION RANGE section. The ACCREDITATION RANGE section describes which classifications and compartments are available to regular users.

Oracle Solaris also provides two simplified versions of these files, label_encodings.single and label_encodings.multi. The differences are described in the following sections.

Simplified GFI Multilevel Label Encodings File

The ACCREDITATION RANGE settings in the label_encodings.multi follow:

ACCREDITATION RANGE:
classification= u;   all compartment combinations valid;
classification= c;   all compartment combinations valid;
classification= s;   all compartment combinations valid;
classification= ts;   all compartment combinations valid;

minimum clearance= c;
minimum sensitivity label= u;
minimum protect as classification= u;

    The ACCREDITATION RANGE definition enables the site to use all the classifications and compartments that are defined in the label_encodings.multi file, as follows:

  • UNCLASSIFIED, CLASSIFIED, SECRET, and TOP SECRET are defined with all compartment combinations valid.

  • CLASSIFIED is defined as the minimum clearance.

  • UNCLASSIFIED is defined as the minimum sensitivity label.

  • UNCLASSIFIED is defined as the minimum protect as classification.

Simplified GFI Single-Level Label Encodings File

The ACCREDITATION RANGE settings in the label_encodings.single file follow:

ACCREDITATION RANGE:  classification= s;
only valid compartment combinations:  s a b rel cntry1
minimum clearance= s Able Baker NATIONALITY: CNTRY1;
minimum sensitivity label= s A B REL CNTRY1;
minimum protect as classification= s;

    The ACCREDITATION RANGE definition restricts the user to the following label:

  • SECRET is defined as the only classification

  • SECRET A B REL CNTRY1 is defined as the only valid compartment combination

  • SECRET ABLE BAKER NATIONALITY: CNTRY1 is defined as the minimum clearance

  • SECRET A B REL CNTRY1 is defined as the minimum sensitivity label

  • SECRET is defined as the minimum “Protect As” classification

Copyright © 1997, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next