Trusted Solaris Label Administration

Specifying the Labels During Post-Install Configuration

The install team makes a printed copy and an on-line copy of the installed label_encodings(4) file in case of problems with the new version of the file supplied by the Security Administrator role.

The Security Administrator role uses any text editor to create the label_encodings(4) file, and then uses the Check Encodings action to check the file. If the file passes Check Encodings, the action offers the option of installing the new version. When the Security Administrator role answers Yes, Check Encodings overwrites the current version of the label_encodings file. The Check Encodings action creates a backup version of the existing file (naming it label_encodings.orig), before overwriting it.

Note -

The encodings for Solar Systems, Inc. are shown in User Type font in the screen examples.

Encoding the VERSION

The following example shows the VERSION string modified with the name of company, a title, version number, and date.

Example 5-2 Modified VERSION Entry

VERSION= Solar Systems, Inc. Example Version - 2.2 00/04/18

Encoding the CLASSIFICATIONS

The following example shows the Solar Systems' classifications and values from Table 5-2, Table 5-3 and Table 5-4 added to the CLASSIFICATIONS section.

Example 5-3 Modified CLASSIFICATIONS Section

CLASSIFICATIONS:

name= PUBLIC; sname= PUBLIC; value= 1;
name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4;
name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5;
name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6;

Note -

A classification cannot contain the slash (/) , or comma (,) characters. The classifications are specified from the lowest value to the highest.

Encoding the SENSITIVITY LABELS

The compartments in the Table 5-3 are encoded in the SENSITIVITY LABELS: WORDS: example shown below.

This example does not have any required combinations or combination constraints.

Example 5-4 Modified WORDS in the SENSITIVITY LABELS Section

SENSITIVITY LABELS:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20;
minclass= NEED_TO_KNOW;
name= EXECUTIVE_MGMNT_GROUP; sname= EMG; compartments= 11;
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12;
minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13;
minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14;
minclass= NEED_TO_KNOW;
name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18;
minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the INFORMATION LABELS

Even though information labels are not used, values must be supplied under the INFORMATION LABELS: WORDS: section for the file to pass the encodings check. The Security Administrator role copies the words from the SENSITIVITY LABELS: WORDS: section, as shown in the following example.

Example 5-5 WORDS in the INFORMATION LABELS Section

INFORMATION LABELS:

WORDS:

name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18;
minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass=NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass=NEED_TO_KNOW;
name= MARKETING; sname= MRKTG; compartments= 15 20; minclass=NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MGMNT_GROUP; sname= EMG; compartments= 11;
minclass= NEED_TO_KNOW;
name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;
name= DO_NOT_FORWARD; sname= NO_FORWD; minclass= INTERNAL; markings= 0;
access related;
name= RELEASE_AFTER_BETA; sname= AFTER_BETA; minclass= NEED_TO_KNOW;
markings= ~0 1 ~2; access related;
name= RELEASE_AFTER_FCS; sname= AFTER_FCS; minclass= NEED_TO_KNOW;
markings= ~0 ~1 2; access related;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS

Encoding the CLEARANCES

Because the clearance words are the same as the sensitivity labels words, the words in the following example are the same as those in Example 5-4.

Example 5-6 Modified WORDS in the CLEARANCES Section

CLEARANCES:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMG; compartments= 11;
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18; minclass= NEED_TO_
KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20;
minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the CHANNELS

This example is encoded with one channel for each group name compartment, using the same compartment bits assigned to the compartment words in the SENSITIVITY LABELS: WORDS: section. The prefix is defined as DISTRIBUTE ONLY TO. The suffix is defined as (NON-DISCLOSURE AGREEMENT REQUIRED).

DISTRIBUTE ONLY TO GROUP_NAME (NON-DISCLOSURE AGREEMENT REQUIRED)

The channel specifications shown in the following example will create the desired wording in the handling caveats section.

Note -

The prefixes and suffixes are defined at the top of the section as shown in the following example, and they have no compartments assigned to them. They are used in defining the channels; each channel has a prefix and suffix assigned to it.

Example 5-7 Modified WORDS in the CHANNELS Section

CHANNELS:

WORDS:

name= DISTRIBUTE_ONLY_TO;       prefix;
name= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
suffix;

name= EXECUTIVE_MANAGEMENT_GROUP;
prefix= DISTRIBUTE_ONLY_TO; compartments= 11;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SALES; prefix= DISTRIBUTE_ONLY_TO; compartments= 12;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= FINANCE; prefix= DISTRIBUTE_ONLY_TO; compartments= 13;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= LEGAL; prefix= DISTRIBUTE_ONLY_TO; compartments= 14;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MARKETING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 15 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= HUMAN_RESOURCES; prefix= DISTRIBUTE_ONLY_TO;
compartments= 16;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= ENGINEERING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 17 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MANUFACTURING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 18;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SYSTEM_ADMINISTRATION; prefix= DISTRIBUTE_ONLY_TO;
compartments= 19;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= PROJECT_TEAM; prefix= DISTRIBUTE_ONLY_TO; compartments= 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);

Encoding the PRINTER BANNERS

Note -

The term printer banners has a specialized meaning in the label_encodings(4) file, and it does not refer to the banner page that is printed before a job. Printer banners appear as a string on the printer banner page when the compartment associated with it appears in a job's label.

The printer banner specifications shown in the following example will create the desired wording in the PRINTER BANNERS section.

Note -

Any prefixes are defined at the top of the section as shown in the following example, and they have no compartments assigned to them. They are used in defining the PRINTER BANNERS; each printer banner has a prefix assigned to it.

Example 5-8 Modified WORDS in the PRINTER BANNERS Section

PRINTER BANNERS:

WORDS:

name= COMPANY PROPRIETARY/CONFIDENTIAL:;       prefix;

name= ALL_DEPARTMENTS; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 11-20;
name= EXECUTIVE_MANAGEMENT_GROUP; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 11;
name= SALES; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 12;
name= FINANCE; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 13;
name= LEGAL; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 14;
name= MARKETING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 15 20;
name= HUMAN_RESOURCES; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 16;
name= ENGINEERING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 17 20;
name= MANUFACTURING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 18;
name= SYSTEM_ADMINISTRATION; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 19;
name= PROJECT_TEAM; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 20;

Encoding the ACCREDITATION RANGE

The combination constraints from the Table 5-3 and the minimum clearance, minimum sensitivity label and minimum protect as classification from Table 5-8 are encoded in the ACCREDITATION RANGE: example shown in the following example. PUBLIC and INTERNAL_USE_ONLY are defined so that these two classifications can never appear in a label with any compartment while NEED_TO_KNOW is defined so it can appear in a label with any combination of compartments, and REGISTERED with no compartments.

Example 5-9 Modified ACCREDITATION RANGE Section

ACCREDITATION RANGE:

classification= PUBLIC; only valid compartment combinations:

PUBLIC

classification= INTERNAL_USE_ONLY; only valid compartment combinations:

INTERNAL

classification= NEED_TO_KNOW; all compartment combinations valid;

classification= REGISTERED; only valid compartment combinations:

REGISTERED


minimum clearance= PUBLIC;
minimum sensitivity label= PUBLIC;
minimum protect as classification= PUBLIC;

Encoding the Wording for Label Builders, Colors, and Other LOCAL DEFINITIONS Values

The following example shows that none of the default values are changed at Solar Systems, Inc. for the default and forced flags, and Default Label View in the LOCAL DEFINITIONS section.

Example 5-10 Accepting Defaults in the LOCAL DEFINITIONS Section

LOCAL DEFINITIONS:


default flags= 0x0;                     
forced flags= 0x0;

Default Label View is External;

Encoding the Heading Names for Label Builders

The default settings for heading names used in label builders are shown in the following example.

Example 5-11 Default Heading Names for Label Builders

Classification Name= Class;
Compartments Name= Comps;

Label builders are displayed whenever you need to set a label. For example, the following figure shows a label builder with the heading names specified at the Solar Systems company: Classification instead of Class, and Departments instead of Comps.

Figure 5-8 Label Builder With Changed Headings

The following example shows the modifications the Solar System Security Administrator role made to change the default values set for the Classification Name, Compartments Name, and Markings Name.

Example 5-12 Modified Wording for Label Builders

Classification Name= Classification;
Compartments Name= Departments;

Encoding the COLOR NAMES

The color names used in Example 5-13 were taken from the worksheet in Table 5-9.

Example 5-13 COLOR NAMES Section

COLOR NAMES:

       	label= Admin_Low;       color= #bdbdbd;

        label= PUBLIC;        color= green;
        label= INTERNAL_USE_ONLY;  color= yellow;
        label= NEED_TO_KNOW;  color= blue;
        label= NEED_TO_KNOW EMG;  color= #7FA9EB;
        label= NEED_TO_KNOW SALES;  color= #87CEFF;
        label= NEED_TO_KNOW FINANCE;  color= #00BFFF;
        label= NEED_TO_KNOW LEGAL;  color= #7885D0;
        label= NEED_TO_KNOW MRKTG;  color= #7A67CD;
        label= NEED_TO_KNOW HR;  color= #7F7FFF;
        label= NEED_TO_KNOW ENG;  color= #007FFF;
        label= NEED_TO_KNOW MANUFACTURING;  color= #0000BF;
        label= NEED_TO_KNOW PROJECT_TEAM;  color= #9E7FFF;
        label= NEED_TO_KNOW SYSADM; color= #5B85D0;
        label= NEED_TO_KNOW ALL; color= #4D658D;
        label= REGISTERED;  color= red;

        label= Admin_High;      color= #636363;

*
* End of local site definitions