Trusted Solaris Label Administration

Defining the Set of Labels

In this section the set of labels is defined in lists that include all of the following required aspects of labels:

Classifications
Other words
Relations between and among the words
Classification restrictions associated with use of each word
Intended use of the words in mandatory access control (in sensitivity labels and clearances)
Intended use of the words in labeling system output.

Planning the Classifications

Because the four labels are hierarchical, they will be encoded as hierarchical classifications.

With the legal department's approval, the Security Administrator shortened the labels by omitting Solar Systems Proprietary/Confidential: from the label names. Classifications do not allow the use of a slash in the label, and long classifications make it difficult for employees to read the labels in the window system. The name of a label is truncated from right to left in the window frames. Because the truncated names of all the label names above PUBLIC would begin with the words SOLAR SYSTEMS PROPRIETARY CONFIDENTIAL, the truncated names would be indistinguishable without manually extending the frame for each window.

The Security Administrator defined the following labels:

REGISTERED
NEED_TO_KNOW
INTERNAL_USE_ONLY
PUBLIC

Planning the Compartments

The group names will be encoded as non-hierarchical compartments. Compartments will be restricted to appear only in labels that have the NEED_TO_KNOW classification. Compartments are restricted to appear with certain classifications by settings in the ACCREDITATION RANGE section under COMBINATION CONSTRAINTS.

User clearances will control which users can create files and directories with labels that include a group name, and user clearances will also control whether some users will be able to create documents whose labels have more than one group along with the NEED_TO_KNOW classification.

Planning the Use of Words in MAC

The classifications and compartments in sensitivity labels and user clearances are used in mandatory access control. Therefore, the legal department's hierarchical labels and the group names need to be encoded as classifications and compartments so that they can be used in the labels that control which individual employees can access files and do other work.

In the following example, Solar Systems, Inc. defines a sensitivity label with the PUBLIC classification, which is assigned the lowest value in the User Accreditation Range, and another sensitivity label with the INTERNAL_USE_ONLY classification with the next highest value above PUBLIC.

An employee with no authorizations whose clearance is PUBLIC and whose minimum label is PUBLIC is able to use the system as follows:

Works only in a PUBLIC workspace,
Creates files only at PUBLIC,
Reads email only at PUBLIC, and
Uses printers only if they have PUBLIC in their label range

In contrast, an employee with no authorizations whose clearance is INTERNAL_USE_ONLY is able to use the system as follows:
Works in either a PUBLIC or an INTERNAL_USE_ONLY workspace
Creates files at either PUBLIC or at INTERNAL_USE_ONLY (depending on what workspace the employee is currently in)
Receives and sends email at either sensitivity label.

Can print a file labeled PUBLIC on any printer with PUBLIC in its label range, and can send a file labeled INTERNAL_USE_ONLY to any printer with INTERNAL_USE_ONLY in its label range.

Planning the Use of Words in Labeling System Output

When the sensitivity label of a printer job contains a group name compartment, the mandatory printer banner and trailer pages will state:

Distribute Only To Group Name (Non-Disclosure Agreement Required)

Planning How to Label Printer Output Pages as Desired

The print without labels authorization allows a user or role to use the lp -o nolabels option to suppress the printing of top and bottom labels on body pages of a print job. The Security Administrator role can give the Print Without Labels authorization to everyone or to no one.

The Print PostScript File authorization allows a user to submit a PostScript file to the printer, which is normally not allowed because of the risk that a knowledgeable user can change the labels in the PostScript file.

To permit technical writers to produce master copies of documents without labels printed on them, the Security Administrator role gives the Print Without Labels and Print PostScript File authorizations to all the writers.

Planning for Supporting Procedures

Rules for Protecting a File or Directory Labeled with the REGISTERED Sensitivity Label

The Security Administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company unless certain additional precautions are taken. Therefore, those who have REGISTERED in their clearance must be instructed to use UNIX permissions, so that only the creator can look at or modify the file. See the following example.

Example 5-1 Using DAC to Protect Registered Information

trusted% getplabel 
R
trusted% mkdir registered.dir
trusted% chmod 700 registered.dir
trusted% cd registered.dir
trusted% touch registered.file
trusted% ls -l
-rwxrwxrwx registered.file
trusted% chmod 600 registered.file
trusted% ls -l
-rw------- registered.file

As shown in the example, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only and to set the directory's permissions to be readable, writable, and searchable only by the owner. This ensures that another user who can work at REGISTERED cannot read the file.

Rules for Configuring Printers

Table 5-1 shows how printers in various locations accessible to various types of people need to be configured.

Table 5-1 Printer Label Range Example Settings in Various Locations


Printer Location	Type of Access	Label Range
lobby or public meeting room	Anyone	`PUBLIC` to `PUBLIC`
internal company printer room	Available to all employees and others who have signed nondisclosure agreements	`PUBLIC` to `INTERNAL_USE_ONLY`
restricted area for one group	Members of group specified in the `NEED_TO_KNOW` `GROUP_NAME` compartment	`NEED_TO_KNOW GROUP_NAME to NEED_TO_KNOW GROUP_NAME`
strictly controlled area	Available only to those who have the `REGISTERED` classification in their clearance	`REGISTERED` to `REGISTERED`

See "Managing Printing" in Trusted Solaris Administrator's Procedures manual.

Rules for Handling Printer Output

Those who have access to restricted printers will be instructed to:

Protect information according to the instructions on the printer banner and trailer pages.
Shred jobs that do not have both a banner and a trailer page and that do not have matching job numbers on the banner and trailer pages.

Planning Classification Values in a Worksheet

The worksheet in Table 5-2 shows names and hierarchical values defined for the four classifications. Because the value 0 is reserved for the administrative ADMIN_LOW label, the value of the PUBLIC classification is set to 1, and the values of the others are set higher in ascending sensitivity.

Note -

The names of groups in our labels are specified later, as WORDS in the SENSITIVITY LABELS, and CLEARANCES sections.

Table 5-2 Classifications Planner


name=	value=	*initial compartments= bit numbers/WORD
PUBLIC	1	none
INTERNAL_USE_ONLY	4	none
NEED_TO_KNOW	5	none
REGISTERED	6	none

Planning Compartment Values and Classification/Compartment Constraints in a Worksheet

Table 5-3 defines the relationships between words and classifications that were arrived at by moving things around on the planning board in Figure 5-7. Because of how PUBLIC and INTERNAL_USE_ONLY are defined in the third column, these two classifications can never appear in a label with any compartment, while NEED_TO_KNOW can appear in a label with any or all of the compartments.

Table 5-3 Compartments and User Accreditation Range Combinations Planning Table


Classification	Compartment Name/ sname/ Bit	Combination Constraints
PUBLIC		PUBLIC only valid combination
INTERNAL_USE_ONLY		INTERNAL_USE_ONLY only valid combination
NEED_TO_KNOW	SYSTEM ADMINISTRATION/ SYSADM/ 19	NEED_TO_KNOW all combinations valid
	MANUFACTURING/ MANU/ 18
	ENGINEERING/ ENG/ 17 20
	HUMAN RESOURCES/ HR/ 16
	MARKETING/ MKTG/ 15 20
	LEGAL/ LEGAL/ 14
	FINANCE/ FINANCE/ 13
	SALES/ SALES/ 12
	EXECUTIVE MANAGEMENT GROUP/ EMG/ 11
	ALL_DEPARTMENTS/ ALL/ 11-20
REGISTERED		REGISTERED only valid combination

The Security Administrator uses Table 5-4 to keep track of which bits have been used for compartments and which for markings.

Table 5-4 Compartment Tracking Table


11	12	13	14	15	16	17	18	19	20

Planning Clearances in a Worksheet

The components of these labels are also assigned to users in clearances. The worksheet's Clearance Planner (shown in Table 5-5) defines the label components to be used in clearances.

Key to Table 5-5:

Abbreviation	Name
REG	REGISTERED
NTK	NEED_TO_KNOW
IUO	INTERNAL_USE_ONLY
EMG	EXECUTIVE MANAGEMENT GROUP
SALES	SALES
FIN	FINANCE
LEG	LEGAL
MRKTG	MARKETING
HR	HUMAN RESOURCES
ENG	ENGINEERING
MANU	MANUFACTURING
SYSADM	SYSTEM ADMINISTRATION
NDA	NON-DISCLOSURE AGREEMENT

Table 5-5 Clearance Planner


CLASS	COMP	COMP	COMP	COMP	COMP	COMP	COMP	COMP	COMP	Notes
REG	EMG	ENG	FIN	HR	LEG	MANU	MKTG	SALES	SYSADM	Highest, not used [The highest possible label in the system, consisting of the highest classification and all of the defined compartments. Because no one should be able to access all information in all departments, this label is not in the user accreditation range, and no one should be assigned this clearance.]
REG										Assigned to selected personnel as needed [When working at the REGISTERED sensitivity label, the user should set permissions to restrict access to everyone except the owner (file permissions 600, directory permissions, 700).]
NTK		ENG								Assigned to ENG group



									SYSADM	Assigned to system admin
IUO										Assigned to employees. and others w/NDAs
PUB										Assigned to anyone

Planning the PRINTER BANNERS Wording in a Worksheet

The Solar Systems' legal department wants the following to appear on printer banner and trailer pages.

Solar Systems Proprietary/Confidential:

The PRINTER BANNERS can be used to associate a string with any compartment that appears in the sensitivity label of the print job. In this encodings, only the NEED_TO_KNOWclassification has compartments. Table 5-6 shows how the desired wording is specified as a prefix and assigned to each compartment. The abbreviation NTK is assigned to each channel so that the wording in the PRINTER BANNERS section will read:

Solar Systems Proprietary/Confidential: GROUP_NAME

Table 5-6 Printer Banners Planner


Prefix	PRINTER BANNER
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	ALL_DEPARTMENTS
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	EXECUTIVE_MANAGEMENT_GROUP
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	SALES
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	FINANCE
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	LEGAL
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	MARKETING
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	HUMAN_RESOURCES
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	ENGINEERING
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	MANUFACTURING
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	SYSTEM_ADMINISTRATION
SOLAR SYSTEMS PROPRIETARY/CONFIDENTIAL:	PROJECT_TEAM

Planning CHANNELS in a Worksheet

The Solar Systems' legal department wants the following handling instructions to appear on printer banner and trailer pages.

DISTRIBUTE ONLY TO GROUP_NAME EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED)

This goal is met by assigning in the CHANNELS section the same compartment bits that were assigned to group names earlier in this example. The Solar Systems company plans to use the same group names both in the compartments and in the channels.

The words that come before the channel name are specified as prefixes and the words that come after the channel name are specified as suffixes. The Security Administrator specifies prefixes and suffixes in the following worksheets.

Table 5-7 Channels Planner (for Prefixes, Channels, and Suffixes)


Prefix	Channel	Suffix
DISTRIBUTE_ ONLY_ TO	EXECUTIVE_ MANAGEMENT_GROUP	EMPLOYEES (NON- DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	SALES	EMPLOYEES (NON- DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	FINANCE	EMPLOYEES (NON- DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	LEGAL	EMPLOYEES (NON-DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	MARKETING	EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)
DISTRIBUTE_ ONLY_ TO	HUMAN_ RESOURCES	EMPLOYEES (NON- DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	ENGINEERING	EMPLOYEES (NON- DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	MANUFACTURING	EMPLOYEES (NON-DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	SYSTEM_ ADMINISTRATION	EMPLOYEES (NON- DISCLOSURE_ AGREEMENT_ REQUIRED)
DISTRIBUTE_ ONLY_ TO	PROJECT_ TEAM	EMPLOYEES (NON-DISCLOSURE _AGREEMENT _REQUIRED)

Planning the Minimums in an ACCREDITATION RANGE Worksheet

The following minimums must be set:

minimum sensitivity label
minimum clearance,
minimum protect as classification

Because the Solar Systems company wants employees to be able to use all the defined sensitivity labels and wants to be able to assign the PUBLIC clearance to some employees, the minimum sensitivity label and minimum clearance need to be set to PUBLIC.

The minimum protect as classification is printed on printer banner and trailer pages instead of the actual classification from the job's sensitivity label. The minimum protect as classification can be set higher than the actual minimum classification. However, the Solar Systems company requirements allow the minimum protect as classification to always be equal to the real classification of the print job's sensitivity label. The Security Administrator defines all of values for the minimum sensitivity label, minimum clearance and minimum protect as classification as PUBLIC as shown in the following table.

Table 5-8 ACCREDITATION RANGE Minimum Values


Minimum Sensitivity Label	PUBLIC
Minimum Clearance	PUBLIC
Minimum Protect as Classification	PUBLIC

Planning the Colors in the COLOR NAMES Worksheet

The color assigned to a label displays in the background whenever the name of the label appears at the top of a window. The lettering is displayed in a color that complements the background. (The complementary color is computed by the window system.) In our example, the Security Administrator chooses to keep the colors already assigned to the administrative labels in the default label_encodings(4) file and assigns green to PUBLIC, yellow to INTERNAL_USE_ONLY, blue to labels that contain NEED_TO_KNOW (with different shades of blue assigned to each compartment), and red to REGISTERED, as shown in the following table.

Table 5-9 Color Names Planner


Label or Name (label= or name=)	Color
ADMIN_LOW	#bdbdbd
PUBLIC	green
INTERNAL_USE_ONLY	yellow
NEED_TO_KNOW	blue
NEED_TO_KNOW EMG	#7FA9EB
NEED_TO_KNOW SALES	#87CEFF
NEED_TO_KNOW FINANCE	#00BFFF
NEED_TO_KNOW LEGAL	#7885D0
NEED_TO_KNOW MRKTG	#7A67CD
NEED_TO_KNOW HR	#7F7FFF
NEED_TO_KNOW ENG	#007FFF
NEED_TO_KNOW MANU	#0000BF
NEED_TO_KNOW PROJECT_TEAM	#9E7FFF
NEED_TO_KNOW SYSADM	#5B85D0
NEED_TO_KNOW ALL	#4D658D
NEED_TO_KNOW SYSADM	#5B85D0
REGISTERED	red
ADMIN_HIGH	#636363