Rules for Protecting a REGISTERED File <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> or Directory (Solaris Trusted Extensions Label Administration)

Solaris Trusted Extensions Label Administration

Rules for Protecting a `REGISTERED` File or Directory

The security administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company. Further precautions are needed. For example, users who have REGISTERED in their clearance must be instructed to use UNIX permissions to protect their files. Permissions should be set so that only the creator can look at or modify the file. The following example shows a user who is applying discretionary access control to protect the contents of a REGISTERED directory.

Example 6–2 Using DAC to Protect Registered Information

% plabel 
REGISTERED
% mkdir registered.dir
% chmod 700 registered.dir
% cd registered.dir
% touch registered.file
% ls -l
-rwxrwxrwx registered.file
% chmod 600 registered.file
% ls -l
-rw------- registered.file

As shown in the example, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only. Directory permissions are set to be readable, writable, and searchable only by the owner. These permissions ensure that another user who can work at REGISTERED cannot read the file.

Rules for Protecting a REGISTERED File or Directory

Example 6–2 Using DAC to Protect Registered Information

Rules for Protecting a `REGISTERED` File or Directory