How to Create a Single-Label Encodings File (Solaris Trusted Extensions Label Administration)

Solaris Trusted Extensions Label Administration

How to Create a Single-Label Encodings File

Certain labels must always be present in a label_encodings file:

One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined

Before You Begin

You must be in the Security Administrator role in the global zone.

Edit an encodings file.

Use the Edit Encodings action. For details, see How to Create a label_encodings File. Provide a name that is different from the installed label_encodings file.

Create an encodings file with only one classification and only the desired compartments.

For example, you could set up an encodings file with the INTERNAL_USE_ONLY classification, and specify no words.

VERSION= Single-Label Encodings

. . .
CLASSIFICATIONS:

name= INTERNAL_USE_ONLY;       sname= INTERNAL;  value= 5;

INFORMATION LABELS:

WORDS:

SENSITIVITY LABELS:

WORDS:

CLEARANCES:

WORDS:

CHANNELS:

WORDS:

PRINTER BANNERS:

WORDS:

In the ACCREDITATION RANGE section, include only one classification and one valid compartment combination.

The following example encodes the INTERNAL classification.

ACCREDITATION RANGE:

classification= INTERNAL;
only valid compartment combinations:

INTERNAL

minimum clearance= INTERNAL;
minimum sensitivity label= INTERNAL;
minimum protect as classification= INTERNAL;

Encode the LOCAL DEFINITIONS section.

For details, see Chapter 5, Customizing LOCAL DEFINITIONS.

Ensure that the file is syntactically correct.
- If the file does not pass chk_encodings, see How to Debug a label_encodings File
- Otherwise, continue with How to Analyze and Verify the label_encodings File.

(Optional) Configure labels so that they are not visible to users.

For the steps, see How to Hide Labels From a User in Solaris Trusted Extensions Administrator’s Procedures.

Example 3–8 Defining the Accreditation Range in a Single-Label Encodings File

The following example shows the settings in the ACCREDITATION RANGE: section. A single ANY_CLASS classification is defined. Compartments words A, B, and REL CNTRY 1 are specified for all types of labels.

ACCREDITATION RANGE:

classification= ANY_CLASS;      only valid compartment combinations:

ANY_CLASS A B REL CNTRY1

minimum clearance= ANY_CLASS A B REL CNTRY1;
minimum sensitivity label= ANY_CLASS A B REL CNTRY1;
minimum protect as classification= ANY_CLASS;

Example 3–9 Changing the Single Label Name

In this example, the label_encodings.example file is changed to handle a single-label company. The name= value is changed from SECRET to INTERNAL_USE_ONLY. The sname= value is changed from s to INTERNAL. Neither the value= nor the initial compartments= definition is changed.

CLASSIFICATIONS:
name= INTERNAL_USE_ONLY;  sname= INTERNAL;  value= 5; initial compartments= 4-5
190-239;

In the ACCREDITATION RANGE section, the short name of the classification is replaced. Also, the minimums are replaced with the new sname.

ACCREDITATION RANGE:

classification= INTERNAL;      only valid compartment combinations:

INTERNAL

minimum clearance= INTERNAL;
minimum sensitivity label= INTERNAL;
minimum protect as classification= INTERNAL;