Adding or Renaming a Classification
The Security Administrator role can replace classification names defined in the default label_encodings file, define new classification names, or create a new file with unique classifications.
The classification is the hierarchical portion of a label. Each label has one and only one classification. The internal representation of each label has 15 bits available for storing classification values.
|
Classification Field |
|---|
|
15 bits/32,767 possible values/256 values limit enforced |
The labels translation software enforces a limit of 256 classification values. A numeric value (integer) from 1 to 255 can be assigned to each classification in the label_encodings file. The values 0 is reserved for the ADMIN_LOW administrative label.
Classifications are defined once for all types of labels in the CLASSIFICATIONS section of the label_encodings(4).
A classification with a higher value is said to dominate a classification with a lower value. The following table shows two sets of label names that are assigned to the same values in two example label_encodings file in the /etc/security/tsol directory. The left column shows example information protection labels from the label_encodings.simple file and the middle column shows example labels from the label_encodings.gfi.multi file. A label with the Registered or Top Secret classification would dominate all labels with any other classification shown.
|
Commercial Example |
Government Example |
Value |
|---|---|---|
|
Registered |
Top Secret |
6 |
|
Need to Know |
Secret |
5 |
|
Internal Use Only |
Confidential |
4 |
|
Public |
Unclassified |
1 |
Number of Classifications
The total number of classifications that can be defined at a site is 255.
Keywords Defined for Classifications
The following table shows the keywords that can be defined for classifications. Keywords that begin with an asterisk (*) are optional. See "Setting Default and Inverse Words" for more about how to set up optional initial compartments and markings that may be associated with classifications.
Table 2-3 Values for Classifications
Unless you are creating a set of encodings that must be compatible with another organization's label encodings, do not worry about which numbers to use for compartment bits. Keep track of the ones you use and their relations to each other.
The following example shows the top of the demonstration Trusted Solaris label_encodings file, with the CLASSIFICATIONS section.
Example 2-1 Trusted Solaris Demonstration label_encodings File (Top)
CLASSIFICATIONS: * name= UNCLASSIFIED; sname= U; value= 1; name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 190-239; name= SECRET; sname= S; value= 5; initial compartments= 4-5 190-239; name= TOP SECRET; sname= TS; value= 6; initial compartments= 4-5 190-239; |
Each classification defined in Example 2-1 has the mandatory name, sname, and value. The CONFIDENTIAL, SECRET, and TOP SECRET classifications have initial compartments, while UNCLASSIFIED has none.
The following table shows some initial compartments bit assignments and what they mean.
Table 2-4 Initial Compartments Bit Assignments and What They Mean|
initial compartments= 4 5 100-227; |
compartment bits 4, 5, and 100 through 239 are initially on (set to 1) in a label with this classification. |
Some of the initial compartments shown in Example 2-1 are used later to define default and inverse words, and some are reserved for possible later definitions of inverse words.
The following example shows a simple set of classifications that have no initial compartments.
Example 2-2 Simple Classifications Defined Without Initial Compartments or Markings
CLASSIFICATIONS: name= PUBLIC; sname= PUBLIC; value= 1; name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4; name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5; name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6; initial compartments= 10; |
Setting Default and Inverse Words
When a bit is defined as an initial compartment, that means that the bit is on 1 in every label that contains the classification. Any bit specified for an initial compartment can be defined later in the label_encodings file so as to assign the bit to either a default word or an inverse word.
-
A default compartment word is a word that appears in any label that contains the classification.
-
An inverse compartment word is a word that appears in a label that has the associated classification when another word you define with the inverse compartment's bit is not present.
The following table summarizes the requirements for initial compartments values associated with classifications.
Table 2-5 Initial Compartments for Classifications|
Value |
Requirements |
|---|---|
|
*initial compartments= |
Specify bit numbers for any default compartment words (words that should always appear in any label that has the associated classification). ADVANCED: Also specify bit numbers for any inverse words. Recommended: set aside initial compartments for later additions of inverse words. |
The following example shows the PUBLIC classification assigned no initial compartments while the SUN FEDERAL classification is assigned initial compartments 4 and 5.
Example 2-3 Simplified Assignment of Initial Compartments
name= PUBLIC; sname= P; value= 1; name= SUN FEDERAL; sname= SUNFED; value= 4; initial compartments= 4-5 |
With the bits assigned in Example 2-3, a label that includes the PUBLIC classification has no default compartments assigned, while a label that includes the SUN FEDERAL classification always has compartment bits 4 and 5 turned on. See the example below and the following text for how these initial compartment bits can be assigned to words.
Example 2-4 Example of Defining Default and Inverse SENSITIVITY LABELS Words
SENSITIVITY LABELS: WORDS: name= DIVISION ONLY; sname= DO; minclass= SUN FEDERAL; compartments= 4-5; name= SMCC AMERICA; sname= SMCCA; minclass= SUN FEDERAL; compartments= ~4; name= SMCC WORLD; sname= SMCCW; minclass= SUN FEDERAL; compartments= ~5; |
The example above shows WORDS defined in the SENSITIVITY LABELS section of a label_encodings file. Compartment bits 4 and 5 are assigned to the word, DIVISION ONLY. Both compartment bits 4 and 5 are each also associated with an inverse word: SMCC AMERICA is assigned to the inverse compartment bit ~4 and SMCC WORLD is assigned to the inverse compartment bit ~5. As a result, a sensitivity label with the SUN FEDERAL classification initially includes the word DIVISION ONLY and its binary representation has the compartment bits 4 and 5 turned on, while a sensitivity label with the PUBLIC classification always has compartment bits 4 and 5 turned off, and as a result, the words SMCC AMERICA and SMCC WORLD are included in the label. Because a minclass of IUO is specified for the inverse words, SMCC AMERICA and SMCC WORLD are not displayed in the PUBLIC sensitivity label; the presence of these two inverse words is understood.
For any compartment or marking bits not reserved for later assignment, remember that for every initial compartment bit specified, you need to assign a word to the bit in the SENSITIVITY LABELS: WORDS:, INFORMATION LABELS: WORDS:, and COMPARTMENTS: WORDS: sections.
Defining Compartment Words
Compartments are optional words that may be defined to appear in labels. Compartments are called categories in some other trusted systems. Compartments are used to indicate the special handling procedures to be used for the information whose label contains the compartment and the general class of people who may have access to the information.
Compartment words are assigned to non-hierarchical bits. Hierarchies can be established between compartment words based on rules for including bits from one compartment word in the bits defined for another compartment word.
Compartment words are optionally defined in the WORDS subsection for each label type. Each compartment word is assigned to one or more bits.
While all types of labels use the same classifications, the words used for each type of label can be different, even when they are encoded with the same bits and literally refer to the same thing.
The following example shows the SUN FEDERAL compartment word specified with a short name (sname) of SUNFED and compartment bits 40-50.
Example 2-5 Example Compartment Definition for a Sensitivity Label
WORDS: name= SUN FEDERAL; sname= SUNFED; compartments= 40-50; |
Along with its classification field, each label has a 256 bit compartment field. Each bit is assignable in zero or more compartment words, as shown in Table 2-6. Each word can have one or more compartment bits assigned. Out of the 255 available bits, the number of compartment words that can be created is practically limitless. See "Creating Large Numbers of Labels" for examples.
Table 2-6 Bits Available for Classification and Compartment Components|
Classification Field |
Compartments Field |
|---|---|
|
15 bits/32,767 possible values/256 values limit enforced |
256 bits |
The following table can be used for planning compartments and user accreditation range combinations. The ACCREDITATION RANGE for each classification settings should be one of the following.
-
only valid compartment combinations;
-
all compartment combinations valid;
-
all compartment combinations valid except;
|
Classification |
Compartment Name/ sname/ Bit |
REQUIRED COMBINATIONS/ COMBINATION CONSTRAINTS |
ACCREDITATION RANGE Settings |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hierarchical Words
Hierarchical compartments can be used when you want some way to differentiate between documents that have to be accessible to everyone in a larger group and documents that can be accessed only by subgroups. Hierachical compartments can be created by:
Using Bit Combinations to Establish Hierarchies
By defining a word that uses one bit and a second word that uses that same bit along with a second bit, you define a hierarchical relationship between the two words. The compartment word that is more general must be defined below the word that is more specific.
For example, by defining a word that uses bit number 1 and another word that uses bits number 1 and 2, you give the two words a hierarchical relationship. The following screen example shows definitions for a Sales compartment with two subcompartments, Direct Sales, and Indirect Sales. It supposes that a single classification named WebCo is defined.
Figure 2-1 Bit Combinations Defining Hierarchical Relationships
name= Direct_Sales; compartments= 1, 2 name= Indirect_Sales; compartments= 1, 3 name= Sales; compartments= 1 |
The definition in the screen example allows the WebCo company to differentiate between documents that can be accessed by anyone in the entire sales force, documents that can be accessed only by members of the indirect sales force, and documents that can be accessed only by members of the direct sales force.
-
The Security Administrator can give the WebCo Direct_Sales clearance to employees in the direct sales organization and give the WebCo Indirect_Sales clearance to employees in the indirect sales organization.
-
Documents created by anyone working at the WebCo Direct_Sales label get the same label, so the documents are only accessible to employees in the direct sales department.
-
Anyone in the indirect or direct sales forces can work at the WebCo Sales label because the compartment word Sales is below both the Direct_Sales and Indirect_Sales words. Creating documents at the WebCo Sales label makes the documents available to everyone in the Sales department.
Using REQUIRED COMBINATIONS to Establish Hierarchies
If two words are specified together in the REQUIRED COMBINATIONS section, the second label is added to the label whenever the first word is used. The following example shows a definition of the Direct Sales, Indirect_Sales, and Sales that serves essentially the same effect as the example in Figure 2-2. The difference is that the Direct_Sales word will always have the Sales word with it
Figure 2-2 REQUIRED COMBINATIONS Used to Establish Hierarchies
name= Direct_Sales; compartments= 2 name= Indirect_Sales; compartments= 3 name= Sales; compartments= 1 REQUIRED COMBINATIONS: Direct_Sales Sales Indirect_Sales Sales |
Cautions About Mapping Labels to CIPSO Labels
When a template assigned to a computer is specified with one of the CIPSO label indicators, the trusted networking software derives a CIPSO label from the message's label and inserts the CIPSO label into the IP options portion of packets sent to that computer. For a label to map to and from a CIPSO label, the classification value must be less than or equal to 255 and all compartment bit numbers must be less than or equal to 239.
By default, a message to a CIPSO-identified host is dropped if it is sent with a sensitivity label that cannot be mapped to a CIPSO label. The ADMIN_HIGH label is too big to map to a CIPSO label, so, by default, a message sent at the ADMIN_HIGH label to a CIPSO-identified host is always dropped. To avoid this, the Security Administrator role can add the tsol_admin_high_to_cipso switch set equal to 1 in the /etc/system file. Setting this switch causes the label
on a packet to be mapped to a valid CIPSO label with the highest classification and all compartments turned on, instead of being dropped. See "To Change Configurable Kernel Switch Settings" under "Changing and
Accessing Security Information (Tasks)" in Trusted Solaris Administrator's Procedures
If the switch is set so that the ADMIN_HIGH label is mapped, make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239. Otherwise, the user label would be indistinguishable from ADMIN_HIGH after mapping.
To ensure that all labels are mappable, be sure that no user label has compartments numbered above 239.
- © 2010, Oracle Corporation and/or its affiliates