Session Range

Setting the range of labels available during a session is possible only when a user account is configured to use multiple labels. The user configured to work at a single label uses that single label throughout every login session. If a user account is set up to use multiple labels, that user can specify which labels are available during the session by doing one of the following:

• Restrict the session to a single label

• Set the session clearance to be the same as the user's own clearance

• Set a session clearance lower than the user's own clearance

When a user logs in and starts a session on a Trusted Solaris host, the Workstation Information dialog box displays. The following indicator displays below the console message area when a user is configured to work only at a single label:

Single Label Session Label: name_of_label

The following indicator displays below the console message area with a check box to the left when the user is configured to work at multiple labels:

Restrict Session To a Single Label

If the user clicks the OK button after checking the box, then a Single-label Login: Setting Session Label dialog box displays, or if the user leaves the box unchecked, a Multilabel Login: Setting Session Clearance dialog box displays. The user then chooses the label or clearance for the session from the dialog box .

The choice of session clearances available in the clearance dialog box range from the account clearance down to the higher of the (accreditation) minimum clearance and the (account) minimum label, subject to any additional required combinations or constraints from the clearance rule definitions in the label_encodings file. The single label dialog allows the account to select among all the valid labels that are dominated by the account's clearance and that dominate the account's minimum label, subject to any required combinations or constraints from the label rule definitions in the label_encodings file.

The single label or session clearance chosen at login is in effect throughout the session until logout. During a multilabel session, the user may work at any valid label that is dominated by the session clearance and that dominates the user's minimum label. Processes started on behalf of a user get a process clearance equal to the session clearance.

The session range is the set of labels available to a user during a Trusted Solaris session. It is a function of:

• The account label range

• The account's choice of session mode (single-label or multilabel)

• The value the account enters in the Single-label Login: Setting Session Label dialog box (if single-label session) or the Multilabel Login: Setting Session LabelClearance dialog box (if multilabel session)

• The label range for the user's workstation

• The security administrator can restrict the default ADMIN_LOW to ADMIN_HIGH label range on a workstation by using the Device Allocation Manager to set the restricted label range on the framebuffer device, for example on fb0) For more information, see "Session Range".

In the ongoing example from Figure 1-4 that is continued in the following figure, the user can specify a session clearance using any well-formed label between TS A B and S A B.

In the next figure, (a) continues the example showing the range of labels available if the user selects a multilabel session with a session clearance of S A B. Since the other potential labels between S A B and C have been disallowed, the user can only work at S A B, C A B, or C.

(b) shows the range of labels if the user chooses a single-label session with a session label of C A B. Note that C A B is below the minimum clearance but is accessible because the user is selecting a session label, not a clearance. Since this is a single-label session, the user can work at only one label; in this example, the user specified C A B, although S A B or C could have been chosen instead.

Figure 1-5 Comparison of Session Ranges

The following figure summarizes the progressive eliminations of available labels in this example. The eliminated labels are shown with a line through them in the range where they are filtered out and are not shown in subsequent ranges.

Figure 1-6 Cumulative Effect of Constraints on a Session Range