Planning for Supporting Procedures (Solaris Trusted Extensions Label Administration)

Solaris Trusted Extensions Label Administration

Planning for Supporting Procedures

The security administrator creates security policies to enforce the labeling scheme.

Rules for Protecting a `REGISTERED` File or Directory

The security administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company. Further precautions are needed. For example, users who have REGISTERED in their clearance must be instructed to use UNIX permissions to protect their files. Permissions should be set so that only the creator can look at or modify the file. The following example shows a user who is applying discretionary access control to protect the contents of a REGISTERED directory.

Example 6–2 Using DAC to Protect Registered Information

% plabel 
REGISTERED
% mkdir registered.dir
% chmod 700 registered.dir
% cd registered.dir
% touch registered.file
% ls -l
-rwxrwxrwx registered.file
% chmod 600 registered.file
% ls -l
-rw------- registered.file

As shown in the example, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only. Directory permissions are set to be readable, writable, and searchable only by the owner. These permissions ensure that another user who can work at REGISTERED cannot read the file.

Rules for Configuring Printers

The following table shows how printers that are available to various work groups need to be configured.

Table 6–1 Printer Label Range Example Settings in Various Locations


Printer Location	Type of Access	Label Range
Lobby or public meeting room	Anyone	`PUBLIC` to `PUBLIC`
Internal company printer room	Available to all employees and others who have signed nondisclosure agreements	`PUBLIC` to `INTERNAL_USE_ONLY`
Restricted area for one group	Members of group specified in the `NEED_TO_KNOW` `group-name` compartment	`NEED_TO_KNOW` `group-name` `to NEED_TO_KNOW` `group-name`
Strictly controlled area	Available only to people who have the `REGISTERED` classification in their clearance	`REGISTERED` to `REGISTERED`

See Chapter 21, Managing Labeled Printing (Tasks), in Solaris Trusted Extensions Administrator’s Procedures.

Rules for Handling Printer Output

People who have access to restricted printers will be instructed to do the following:

Protect information according to the instructions on the printer banner and trailer pages.
Shred jobs that do not have both a banner and a trailer page. Also shred jobs that do not have matching job numbers on the banner and trailer pages.