Administering Administrative Labels

Two default administrative labels are always defined.

• ADMIN_LOW is the lowest label in the environment with a classification value of 0 and no compartments or markings.

  The ADMIN_LOW label is dominated by every other label.

• ADMIN_HIGH is the highest label in the environment with the classification value of 32767.

  As the highest label in the environment, the ADMIN_HIGH label and the ADMIN_HIGH clearance have all 256 compartment bits set to 1. The ADMIN_HIGH label dominates all other labels.

System files and commonly-available executables are assigned an ADMIN_LOW label. According to the WURD (write up read down) MAC rule, anyone working at any label can read files at ADMIN_LOW, unless the files' DAC permissions deny read access to the account attempting the reading. Files that contain data that should not be viewed by normal users, such as system log files, the label_encodings and vfstab_adjunct files are maintained at ADMIN_HIGH. To allow administrators access to protected system files, the ADMIN_LOW and ADMIN_HIGH administrative labels are assigned as the minimum label and clearance for the default roles. The following sections of this guide describe issues about administrative labels that the security administrator needs to consider.

• "Issues About the Names of Administrative Labels"

• "Specifying Whether Users See Administrative Labels' Names"

• "Specifying Whether Users See Any Labels"

Issues About the Names of Administrative Labels

The site's security administrator role can choose to do the following:

• Specify alternate names for administrative labels (not recommended)

  Because this is not recommended, this guide does not describe how to do it.

• Prevent normal users from seeing the names of administrative labels by substituting names of the lowest and highest labels in the user accreditation range.

  See "Specifying Whether Users See Administrative Labels' Names".

• Prevent normal users from seeing any labels.

  See "Specifying Whether Users See Any Labels".

Specifying Whether Users See Administrative Labels' Names

The option to set a label view allows the security administrator role to determine whether the names for administrative labels are displayed to non-administrative users. If the label view is set to external, another label is substituted: ADMIN_HIGH is demoted to the maximum label and ADMIN_LOW is promoted to the minimum label within the user accreditation range.

Some reasons a site might hide the names of administrative labels are:

• The site assigns each user a single label to work at and chooses not to train users about administrative labels.

• The site's security policy treats the names of administrative labels as classified information.

The label view is set to be either INTERNAL or EXTERNAL in several different ways that are listed in order of precedence, with the lowest first.

• If not otherwise overridden, the system-wide label view is EXTERNAL.

• An optional system-wide setting can be made in the label_encodings(4) file

  The default label_encodings(4) file has the label view set to External in the LOCAL DEFINITIONS section. If the optional definition is not round in the file, the default system-wide setting of EXTERNAL is used.

• The User Accounts and Administrative Roles Tools can set an individual value for any user or role account.

  The Security Administrator role can make an individual setting in the Trusted Solaris Attributes tab that is found in both the User Accounts and Administrative Roles Properties dialogs. The values are stored in the user_attr(4) file entry for the user or role account.

  ---

  Note -

  Do not edit the user_attr file directly. Change any account's labels views using the SMC tools.

  ---

  The View: choices are External | Internal | System Default

  If the System Default is chosen, the Default Label View is value in the optional LOCAL DEFINITIONS section of the label_encodings file applies.

• Programs can use library routines to manipulate the label view of the process running the program.

  The label view setting in a process can override the system-wide setting. A process's label view is set to be either internal, external, or sys. If sys, the process's label view is whatever is set in the label_encodings file, and if no value is set in the file, then the default of External is used.

A process's label view gets set indirectly through the following:

• From the user_attr entry for the owner of the process

  When a user or role starts a process, the user_attr file entry for the account is consulted and the process attribute flag PAF_LABEL_VIEW is set using setpattr(2), according to the label view specified in the for the account. PAF_VIEW_EXT sets the external view and a PAF_VIEW_INT sets the internal view. If the sys label view is specified, the PAF_VIEW_DEF is set equal to the optional setting in the label_encodings(4) file, or the default of EXTERNAL that applies if the option is not set.

• From within a program using library routines

  Programs can use library routines (described on the bltos(3TSOL) man page and under "Labels" in Trusted Solaris Developer's Guide) to set or get the label view of a process.

  Regardless of the value of the PAF_LABEL_VIEW flag, a library call used to translate labels from binary form to text can specify that labels be translated with either an INTERNAL or EXTERNAL label view. If the VIEW_EXTERNAL or VIEW_INTERNAL flags are not specified in the call to the library routine, translation of ADMIN_LOW and ADMIN_HIGH labels is controlled by the label view process attribute flags. If the label view process attribute flag is defined as VIEW_SYS, the translation is controlled by the label view option configured in the label_encodings(4) file or by the default system-wide value of EXTERNAL if the option is not specified.

Specifying Whether Users See Any Labels

The system-wide default is to show labels. The default setting for all accounts in the policy.conf(4) file is show labels. The Security Administrator can change the policy.conf entry to hide labels. The Security Administrator can also override the policy.conf setting for individuals accounts by choosing Hide from the Labels: menu on the Trusted Solaris Attributes tab of the User Accounts and Administrative Roles tools.

See "Managing Default User Security Attributes" in Trusted Solaris Administrator's Procedures for more details.