Planning labels requires setting up a hierarchy of sensitivity levels and a categorization of information in your environment. The label encodings file contains this type of information for your organization. You can use one of the label_encodings files supplied on the Trusted Solaris CD-ROM, modify one of the supplied files, or create a new label encodings file specific to your site. The file should include the SUN-specific local extensions (at least the COLOR NAMES section) when used in the Trusted Solaris environment.
The default label_encodings(4) file is useful for demos, but it is not a good choice for use by a customer site.
IMPORTANT: you must have the final version of the label encodings file ready prior to configuring the first workstation.
To learn more about the label encodings file, see Trusted Solaris Label Administration. You can also refer to Compartmented Mode Workstation Labeling: Encodings Format.
Planning labels also involves planning label configuration. After installation, you need to make the following decisions regarding the use of labels:
Single- or multiple-label environment -- If all of your non-administrative users can operate at the same security label, select a single-label system. Multiple-label environments are required for the FB1 level. If you want a no-label system, select single-label, and then hide the labels for all users.
Hide or display upgraded names in directories -- If you want to prevent a user (or intruder) from viewing the names of files or directories at higher levels than the current sensitivity label, choose this option.
After installation, you can make the following label configuration display changes using User Accounts:
Display administrative label names -- You can show the actual administrative label names, or show substitute names for the labels.
Hide or display labels -- You can hide or display labels on a per-user basis.
When localizing a label_encodings file, international customers should localize the label names only. The administrative label names, ADMIN_HIGH and ADMIN_LOW, must not be localized. All labeled workstations that you contact, from any vendor, must have label names that match the label names in the Trusted Solaris label_encodings file.
Each site should replace the label_encodings file provided on the Trusted Solaris CD with their own. Their file should have appropriate values for the label encodings keywords.