Label Encodings Procedures

To Modify the label_encodings File

Modifying the label_encodings file can safely be done at the time the host is installed. If a need arises where an operational file needs to be changed, proceed with caution. Review the caveats described in the label_encodings(4) file.

1. Assume the Security Administrator role in an ADMIN_HIGH workspace.

2. Open a new or existing version of the file.

   1. If creating a new version of the label_encodings file, use any text editor or use the Edit Encodings action to create the file.

      The Edit Encodings action both edits and runs chk_encodings(1M) on the file.

      ---

      Note -

      If creating a new file from scratch, make sure to include all the sections shown in Table 2-2 or copy and modify the example in Appendix A, Example: Label Encodings File.

      ---

      ---

      Note -

      During development of the file, chk_encodings can be entered on the command line with the -a option to analyze and report on relationships between labels in the label_encodings file.

      ---

   2. When a new version is ready to install, use the Check Encodings action to open and check the file.

      The Check Encodings action runs chk_encodings(1M) on the specified file, and if the file passes the check, the action asks whether you want to overwrite the currently-installed label_encodings file. If the answer is yes, the action creates a backup copy (naming it label_encodings.orig), and overwrites the installed version.

      ---

      Note -

      By default, both the Security Administrator and the root role have the Check Encodings action. The root role uses the action to install the label_encodings file when configuring the system after installation.

      ---

   3. If you are installing a new label_encodings, answer affirmatively when prompted.

      Do you want to install this label_encodings file?

3. On a distributed system of Trusted Solaris hosts, distribute a copy of the label_encodings file from the naming service master to the /etc/security/tsol directory on all hosts in the system.

   See "To Copy the label_encodings File to a Floppy Disk" for how to copy the file to a floppy disk for manual distribution of the modified file.

To Copy the label_encodings File to a Floppy Disk

1. Assume the Security Administrator role in an ADMIN_HIGH workspace.

2. Allocate the floppy device at ADMIN_HIGH.

   1. Highlight the name of the floppy device.

   2. Move the device to the Allocated Devices list.

   3. In the Update With field, type in ADMIN_HIGH.

   4. Click OK.

3. Double-click the File Manager icon in the Front Panel.

4. Using the File Manager, navigate to the folder that contains the label_encodings file.

   ---

   Note -

   Give another name to the version of the label_encodings file to be copied. For compatibility with the PC file systems on most floppy disks, use a name with fewer than eight characters and without a dot (.) in the name. (A string after a dot in a PC file's name is treated as the suffix that indicates the file's type, like .doc.)

   ---

5. Choose Open Floppy from the File menu.

6. Highlight the icon for the file.

7. Drag the file to the floppy disk folder.

8. On the floppy disk folder, choose Eject from the File menu.

To Copy the label_encodings File from a Floppy Disk

1. Assume the Security Administrator role in an ADMIN_HIGH workspace.

2. Allocate the floppy device at ADMIN_HIGH.

   1. Highlight the name of the floppy device.

   2. Move the device to the Allocated Devices list.

   3. In the Update With field, type in ADMIN_HIGH.

   4. Click OK.

3. Double-click the File Manager icon in the Front Panel.

4. Using the File Manager, navigate to the desired destination directory.

5. Choose Open Floppy from the File menu.

   The floppy disk folder displays.

6. Highlight the icon for the label_encodings file.

7. Drag the file from the floppy disk folder to the desired destination directory.

   If dragging the file to the /etc/security/tsol folder, make sure the file being dragged is not named label_encodings. Otherwise, by dropping the file, you will be attempting to overwrite the existing label_encodings file. Instead, copy the file onto the host, and then use the Check Encodings action to install the file, as described in "To Modify the label_encodings File".

8. On the floppy disk folder, choose Eject from the File menu.

9. Initialize the new encodings file.

   Restart the Window Manager from the Workspace Menu.

To Add Sun Extensions to a Pre-Existing Label Encodings File

1. Copy the LOCAL DEFINITIONS sections from one of the default label_encodings files in /etc/security/tsol and append the section to your site's existing file.

   See "To Modify the label_encodings File", if needed, for how to edit and check the file.

2. Modify the definitions to suit your site's security policy.

   See Chapter 4, Modifying Sun's Extensions in the Local Definitions Section for how to configure the extensions.

3. Check the file using the Check Encodings action.

4. When prompted by the Check Encodings action, install the modified version of the label_encodings file.

To Set Up No Labels Operation

The install team should do the following:

1. Change or accept the name of the single label in the label_encodings.single.

   The example uses the label PUBLIC. See "To Replace the Single Label in the Default Single-Label Encodings File".

2. When setting up user accounts, restrict the user to single-label operation.

   1. Configure the user's clearance and initial (minimum) label to equal the only encoded label.

      Clearance: PUBLIC Minimum Label: PUBLIC

   2. Configure labels to be hidden.

      Labels: Hide

To Add or Rename a Classification in the Default label_encodings File

1. In the Security Administrator role in an ADMIN_HIGH workspace, open the label_encodings file for editing.

   See "To Modify the label_encodings File", if needed.

2. In the VERSION= section put your site's name, a title for the file, a version number and the date.

   VERSION= Sun Microsystems, Inc. Example Version - 5.8 97/05/28

   Sun uses SCCS keywords for the version number and the date. (See the sccs(1) man page, if needed, for more about SCCS.)

   VERSION= Sun Microsystems, Inc. Example Version - %I% %E%

3. In the CLASSIFICATIONS section, supply the long name, short name, and numeric value for the new classification.

   name= NEW_CLASS; sname= N; value= 2;

4. Add the new classification(s) to the ACCREDITATION RANGE section.

   The following example shows the three new classifications added to the ACCREDITATION RANGE section of the demonstration file. All three (INTERNAL_USE_ONLY, NEED_TO_KNOW, and REGISTERED) are specified with all compartment combinations valid.

   ACCREDITATION RANGE: classification= UNCLASSIFIED; all compartment combinations valid; * i is new in this file classification= INTERNAL_USE_ONLY; all compartment combinations valid; * n is new in this file classification= NEED_TO_KNOW; all compartment combinations valid; classification= CONFIDENTIAL; all compartment combinations valid except: c c a c b classification= SECRET; only valid compartment combinations: . . . * r is new in this file classification= REGISTERED; all compartment combinations valid;

5. Adjust the minimums specified in the ACCREDITATION RANGE section if necessary.

   minimum clearance= u; minimum sensitivity label= u; minimum protect as classification= u;

6. If you are done, save and quit the file.

7. If you want to install the file, use the Check Encodings action and answer yes when asked if you want to install the new version of the file.

To Specify Default and Inverse Words

1. In the Security Administrator role in an ADMIN_HIGH shell, open the file for editing.

   See "To Modify the label_encodings File" if needed.

2. Specify initial compartments and/or initial markings in the CLASSIFICATIONS section when defining the classification.

   CLASSIFICATIONS: name= PUBLIC; sname= P; value= 1; name= SUN FEDERAL; sname= SUNFED; value= 2; initial compartments= 4-5 ;

3. Specify a default word by assigning an initial compartment or initial marking bit to the word.

   name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= SMCC AMERICA; sname= SMCCA; minclass= IUO; compartments= 4; name= SMCC WORLD; sname= SMCCW; minclass= IUO; compartments= 5;

4. Specify an inverse word by assigning an initial compartment preceded by a tilde (~) to the word.

   name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= SMCC AMERICA; sname= SMCCA; minclass= IUO; compartments= ~4; name= SMCC WORLD; sname= SMCCW; minclass= IUO; compartments= ~5;

To Replace the Single Label in the Default Single-Label Encodings File

1. In the Security Administrator role in an ADMIN_HIGH workspace, open the /etc/security/tsol/label_encodings.single file for editing.

   See "To Modify the label_encodings File" if needed.

2. Replace the classification name with an alternate name.

   1. Under the CLASSIFICATIONS: section, change the name SECRET to an alternate name suitable for your site.

      In the example, the name= value is changed from SECRET to INTERNAL_USE_ONLY and the sname= value is changed from s to INTERNAL. For simplicity's sake, neither the value= nor the initial compartments= definitions are changed.

      CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; initial compartments= 4-5 190-239;

   2. Under ACCREDITATION RANGE, replace the short name of the classification (S) with the new sname.

      ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL a b rel cntry1

3. If desired, delete the compartments a b rel cntry1 from the accreditation range.

   ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL

4. If appropriate, under ACCREDITATION RANGE, replace the definitions for minimum clearance, minimum sensitivity label, and minimum protect as classification with the new sname.

   ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;

To Make Your Own Single-label Encodings File

1. In the Security Administrator role in an ADMIN_HIGH workspace, open the label_encodings file for editing.

   See "To Modify the label_encodings File" if needed.

2. Create an encodings file with only one classification and only the desired compartments.

   For example, you could set up a label_encodings file with the INTERNAL_USE_ONLY classification, and specify no words.

   VERSION= Single-label Encodings . . . CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; INFORMATION LABELS: WORDS: SENSITIVITY LABELS: WORDS: CLEARANCES: WORDS: CHANNELS: WORDS: PRINTER BANNERS: WORDS:

3. In the ACCREDITATION RANGE section, include only one classification and one valid compartment combination.

   Make the settings in the ACCREDITATION RANGE section shown in the example using your own classification, and your own compartment words, if any.

   ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;

4. Encode the LOCAL DEFINITIONS section as described in Chapter 4, Modifying Sun's Extensions in the Local Definitions Section , making sure to specify Default Label View is External.

5. Configure labels not visible to users.

   See "To Configure Labels Not Visible to Users".

To Configure Labels Not Visible to Users

1. When setting up user accounts using the Trusted Solaris Attributes tab on the SMC User Accounts tool, configure users to not see labels and to have only a single label in their label ranges.

   1. Make sure the label View is set to External.

   2. Choose Show from the Labels menu.

2. Specify the account's Clearance equal to its Minimum Label.

   With a clearance and label of INTERNAL_USE_ONLY, you would (naturally) set the Clearance and the Minimum Label to INTERNAL_USE_ONLY.

To Ensure Labels Map to CIPSO Labels

See the discussion in "Cautions About Mapping Labels to CIPSO Labels".

1. Assume the Security Administrator role on the forwarding host and go to an ADMIN_LOW workspace.

   See "Administering as a Role" in Trusted Solaris Administrator's Procedures, if needed.

2. Use the Admin Editor action to open the /etc/system file for editing.

   See "Accessing the Administration Tools" under "Administering Systems in an Administrative Role" in Trusted Solaris Administrator's Procedures, if needed.

3. Add a line to set the tsol_admin_high_to_cipso flag equal to 1.

   set tsolsys:tsol_admin_high_to_cipso=1

   The default in the kernel, which is not shown in the system file, is set to 0.

4. Write and quit the file.

   :wq

5. Make sure that no label in the user accreditation range has the classification value of 255 with all compartment bits from 0 to 239.

   This step ensures that no label is indistinguishable from ADMIN_HIGH after mapping.

6. Make sure that no user label has compartments numbered above 239.

   This step ensures that all labels are mappable to CIPSO labels.