Trusted Solaris Label Administration

Label Dominance

When any type of label has a security level equal to or greater than the security level of another label to which it is being compared, the first label is said to dominate the second. This comparison of security levels is based on classifications and compartments in the labels. The classification of the dominant label must be equal to or higher than the classification of the second label, and the dominant label must include all the compartments in the other label. Two equal labels are said to dominate each other. By these criteria, TS A dominates TS and TS dominates TS.

Another kind of dominance called strict dominance is sometimes required for access. One label strictly dominates another label when the first label has a security level greater than the security level of the other label. Strict dominance is dominance without equality. The classification of the first label must be higher than that of the second label, and the first label must contain all the compartments in the second label, or, if the classifications of both labels are the same, the first label must contain all the compartments in the second label plus one or more additional compartments for the first label to strictly dominate the second. By these criteria, TS A B strictly dominates TS A and S A but does not strictly dominate TS A B or S C. Because S C contains a word (C) that is not in the TS A B label, and it does not contain all the words in TS A B, the two labels are said to be disjoint.

The security administrator must make sure that the clearance labels assigned to user or role accounts dominate all the labels the account is allowed to access. An account's clearance must contain the highest classification and all the compartment words that are in any label that the account needs to work at. Suppose, for example, that a label_encodings file prohibits the combination of compartments A, B, and C in a label and that the minimum label allowed is TS with no compartments. TS A B C would be a valid clearance label although it would not be a valid label. As a clearance, it would let a user work at TS A, TS B, TS C, and TS.