Chapter 4 Modifying Sun's Extensions in the Local Definitions Section

This chapter describes what the Security Administrator role needs to know to define the values in the LOCAL DEFINITIONS section of the label_encodings(4) file. This chapter includes these topics:

• "Values Specified in the LOCAL DEFINITIONS Section"

• "Specifying Whether Other Labels are Substituted for Administrative Labels"

• "Changing Label Component Names on Label Builders"

• "Specifying Colors for Labels"

This chapter includes these procedures:

• "To Specify the System Default for Administrative Label Names"

• "To Specify a Default User Clearance and Minimum Label"

• "To Change Label Component Names Used in Label Builders"

• "To Assign a Color to a Label or Word"

LOCAL DEFINITIONS Section

The Trusted Solaris environment uses additional keywords beyond those defined in the government-furnished Compartmented Mode Workstation Labeling: Encodings Format. The following example shows the optional LOCAL DEFINITIONS section of the default label_encodings file.

Example 4-1 LOCAL DEFINITIONS section of label_encodings file

LOCAL DEFINITIONS:
*
*       The names for the administrative high and low name are set to
*       site_high and site_low respectively by the example commands below.
*
*       NOTE:  Use of these options could lead to interoperability problems
*       with machines that do not have the same alternate names.
*
*Admin Low Name=  site_low;
*Admin High Name= site_high;

default flags= 0x0;
forced flags= 0x0;

Default Label View is External;

Classification Name= Class;
Compartments Name= Comps;

Default User Sensitivity Label= u;
Default User Clearance= c;

COLOR NAMES:

	label= Admin_Low; color= #bdbdbd;

	label= u;       color= green;
	label= c;       color= blue;

	label= s;       color= yellow;
	label= ts;      color= red;

	word= sb;       color= cyan;
	word= cc;       color= magenta;

	label= Admin_High; color= #636363;
* End of local site definitions

Values Specified in the LOCAL DEFINITIONS Section

The Security Administrator role can do the following using keywords in the LOCAL DEFINITIONS section (shown in :

• Replace names for administrative labels with administrator-defined alternates.

  The renaming of administrative label names can cause interoperability options and is highly discouraged.

• Substitute other valid low and high label names in the user accreditation range for the ADMIN_HIGH and ADMIN_LOW administrative labels.

  See "Specifying Whether Other Labels are Substituted for Administrative Labels".

• Specify a user clearance and user minimum label.

  You only need to specify a user clearance or minimum label here if they should be different from the mandatory minimum clearance= and minimum sensitivity label= definitions in the ACCREDITATION RANGE: section.

  See "To Specify a Default User Clearance and Minimum Label".

• Specify alternate names for classifications and compartments to be used on label builder dialog boxes.

  See "To Change Label Component Names Used in Label Builders".

• Specify which colors are assigned to labels.

  Even though the color definitions are optional, assigning colors to labels is highly recommended.

  See "To Assign a Color to a Label or Word".

The Trusted Solaris 7 operating environment and later releases do not support flags. Leave the default flags values as they are shown in Example 4-1.

For more details on Trusted Solaris extensions to the label encodings keywords, see label_encodings(4).

Specifying Whether Other Labels are Substituted for Administrative Labels

The optional Default Label View defined in the installed label_encodings. Without a definition in the label_encodings file, the default system-wide setting is External.

• The Default Label View set in the label_encodings file is system-wide.

• The system-wide label view can be overridden by the label view assigned to individual user and role accounts.

• Programs can set their own label views.

The relation between these various settings is described in "Specifying Whether Users See Administrative Labels' Names" in Chapter 1, Introduction to Trusted Solaris Label Encodings.

To change the system-wide specification, see "To Specify the System Default for Administrative Label Names".

The optional Default Label View must be specified before the Color Names section.

Changing Label Component Names on Label Builders

The following figure shows the names CLASS and COMPS used on the Multilabel Login: Setting Session Clearance dialog box.

Figure 4-1 Label Component Names on Example Label Builder

To replace the classification and compartment names, see "To Change Label Component Names Used in Label Builders".

Specifying Colors for Labels

In the LOCAL DEFINITIONS: section, the COLOR NAMES: keyword is followed by zero or more color assignments. The default color values are shown in the following figure.

Example 4-2 COLOR NAMES Section in the LOCAL DEFINITIONS Section of label_encodings File

COLOR NAMES:

	label= Admin_Low; color= #bdbdbd;


	label= u;       color= green;
	label= c;       color= blue;

	label= s;       color= yellow;
	label= ts;      color= red;

	word= sb;       color= cyan;
	word= cc;       color= magenta;

	label= Admin_High; color= #636363;
*
* End of local site definitions

In the COLOR NAMES section, the Security Administrator role assigns colors to words and to labels, The color name can be either a text color name or a hexadecimal color value to be associated with a word or a label. How to specify color values is discussed in "Color Values". A full discussion of how to specify color is outside the scope of this guide. See the discussion under "Color Specification" in the O`Reilly and Associates, Inc. XWindows Systems User's Guide (Vol. III), ISBN number 0-937175-29-3 for more information, if desired.

The color assigned to a label's component displays as a background color whenever a label includes the specified label components, according to the ordering rules described below. See Figure 4-2 for an example of how the color is used. Although the example is not in color, the PUBLIC, INTERNAL, and NTK_SALES workspace buttons are colored differently than the standard workspace buttons.

The windows software computes a complementary color for the lettering.

Figure 4-2 Window Label with a Background Color from COLOR NAMES

Order of Color Specification

Colors are assigned to labels and to words within labels using the two following syntaxes:

word= label name;     color= color name
or
label= label name;     color= color name;

The color used for any label is determined by the order of any defined entries that are part of the label.

1. If a label contains a compartment word that has one or more colors specified, the color value associated with the first word= value is used.

2. If a label contains none of the compartment words that are associated with colors, if any exact match exists for the label name, then the specified color is used.

3. If there is no exact match for the label name, the color associated with the first specified label= value for the classification of the label is used.

4. If the classification has no color assigned, the color assigned to the first label that contains the same classification is used.

   Following rule 3 in a system with the color definitions shown in the following screen, the label TS A displays with a yellow background because yellow is the color assigned to the TS classification. With the same definitions, any label with the C classification displays with the color blue, unless the label also contains the word B, in which case it displays with the color orange. However, any label with the U classification always displays with the color green (because B is defined elsewhere in the encodings as having a minclass of C, so it never appears in the same label with the classification U).

Example 4-3 Colors Assigned to Words and Labels

label= u;       color= green
label= c;       color= blue
label= S;       color= red;
word= B;        color= orange;
label= TS;      color= yellow;
label= TS SA;   color= khaki;

Example 4-4 Colors Assigned to Words and Labels

Following rule 4 in a system with the color definitions shown in the following example, TS A displays with the khaki background color because the TS classification did not have a color assigned, and TS SA is the only label that includes the TS classification and that has a color (khaki) assigned.

        label= u;       color= green
        label= c;       color= blue
        label= S;       color= red;
        word= B;        color= orange;
        label= TS SA;   color= khaki;

Color Values

The /usr/openwin/lib/rgb.txt database translates color names into red, green, blue values. You can either refer to the rgb.txt file for color names to use for your site's labels or use hexadecimal color values.

Briefly, here are a few high-level points about color values:

• Color values specify the amount of red, green, and blue (RGB) that compose the color.

• RGB values can be specified with three hexadecimal numbers from 0 to FF; each of which indicates the amount of red, green, and blue present in the color.

  For example, pure red is #FF0000, pure green is #00FF00, pure blue is #0000FF, pure white is #FFFFFF, and pure black is #000000.

• The number of colors available on the screen depends on the amount of memory available for specifying colors and number of color planes, on how many other window clients are using color cells, and whether private color maps are being used by other applications.

To minimize conflicts you should use color names or hexadecimal color values that you know have been specified for other applications that display without color flashing.

The default color values defined in Trusted Solaris label_encodings COLOR NAMES section have been chosen with these caveats in mind (see the following table).

See "To Assign a Color to a Label or Word".

Planning Color Names

The following table may be used for planning color names.

Procedures for Modifying Sun Extensions

To Specify the System Default for Administrative Label Names

1. In the Security Administrator role in an ADMIN_HIGH workspace, open the label_encodings file for editing.

   See "To Modify the label_encodings File", if needed.

2. Find the lines in the LOCAL DEFINITIONS section that define the Default Label View.

   Default Label View Is External

3. To allow the label names to display, ensure that the line that begins Default Label View is set to Internal.

   Default Label View Is Internal

4. When you are done, save and close the file.

To Change Label Component Names Used in Label Builders

1. In the Security Administrator role in an ADMIN_HIGH workspace, open the label_encodings file for editing.

   See "To Modify the label_encodings File", if needed.

2. Find the line in the LOCAL DEFINITIONS section that defines the labels components names used in label builder dialog boxes.

   Classification Name= Class; Compartments Name= Comps;

3. If desired, change the defaults Class, and Comps.

   The example shows the alternate names used in label_encodings.simple.

   Classification Name= Classification; Compartments Name= Departments;

4. If you are done, save and close the file.

To Specify a Default User Clearance and Minimum Label

1. In the Security Administrator role in an ADMIN_HIGH workspace, open the label_encodings file for editing.

   See "To Modify the label_encodings File", if needed.

2. Find the line in the LOCAL DEFINITIONS section that begins with Default User Sensitivity Label.

   Default User Sensitivity Label= u; Default User Clearance= c;

3. Replace the Sensitivity Label with your desired minimum user label:

   The following example shows a new minimum label of c.

   Default User Sensitivity Label= c;

4. Replace the Clearance with your desired user clearance:

   The following example shows a new clearance of s.

   Default User Clearance= c;

5. If you are done, save and close the file.

To Assign a Color to a Label or Word

If no color is defined for a classification in the COLOR NAMES section of the label_encodings file, the color black is used.

1. In the Security Administrator role, open the label_encodings file for editing.

   See "To Modify the label_encodings File", if needed.

2. Find the COLOR NAMES section.

   COLOR NAMES: label= Admin_Low; color= #bdbdbd; label= u; color= green; label= c; color= blue; label= s; color= yellow; label= ts; color= red; word= sb; color= cyan; word= cc; color= magenta; label= Admin_High; color= #636363;

3. Optionally, define colors for individual compartment words.

   To distinguish certain compartment words irrespective of the classification with which they may be associated, assign a separate color to those words.

   word= EMG; color= RedOrange;

4. Optionally, define colors for labels.

   In the example, the color assigned to NEED_TO_KNOW SYSADM is bluePurple.

   label= NEED TO KNOW SYSADM; color= bluePurple;

5. Make sure a color is defined for each classification.

   If a color is not defined for a classification, the background color used is black, so, make sure to define every classification.

   In the screen below, the classification REGISTERED is assigned the color red, and the NEED_TO_KNOW SYSADM classification is assigned the color blue.

   label= REGISTERED; color= red; label= NEED TO KNOW; color= blue;

6. If you are done, save and close the file.