| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Trusted Extensions Label Administration Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Trusted Extensions Label Administration Oracle Solaris 11 Express 11/10 |
1. Labels in Trusted Extensions Software (Overview)
2. Planning Labels in Trusted Extensions(Tasks)
3. Creating a Label Encodings File (Tasks)
Hierarchical Compartment Words
Managing a Label Encodings File (Task Map)
How to Create a label_encodings File
How to Analyze and Verify the label_encodings File
How to Distribute the label_encodings File
How to Add or Rename a Classification
How to Specify Default and Inverse Words
4. Labeling Printer Output (Tasks)
5. Customizing the LOCAL DEFINITIONS Section (Tasks)
6. Planning an Organization's Encodings File (Example)
 | Caution - The safest time to modify a label_encodings file is when the first host is installed. Proceed with caution when modifying a file that is in use. For details, see the label_encodings(4) man page. |
The following task map describes the tasks for modifying and installing a label_encodings file.
|
For sample files, see the /etc/security/tsol directory on an installed system. The files are described in Encodings Files From Trusted Extensions.
You can create a label_encodings file before you install Trusted Extensions on your first system. On that first system, you check the file. You can also create this file on the first system that you install with Trusted Extensions. The label_encodings file must be accurate and tested before a second system is configured with Trusted Extensions.
On a system that is configured with Trusted Extensions, you must be in the Security Administrator role in the global zone. On other systems, you can create and edit the file in any text editor.
# cp encodings-filename encodings-filename.orig
For details, see How to Plan the Encodings File.
Continue with How to Analyze and Verify the label_encodings File.
You must be in the Security Administrator role in the global zone.
In a terminal, use the chk_encodings -a command to analyze and report on label relationships.
$ /usr/sbin/chk_encodings -a encodings-file
If the file does not pass, see How to Debug a label_encodings File for assistance. Do not continue to the next step until the file represents your label relationships correctly.
# /usr/sbin/chk_encodings encodings-file
If the command reports errors, the errors must be resolved before continuing.
# cp /full-pathname-of-label-encodings-file \ /etc/security/tsol/label.encodings.site # cd /etc/security/tsol # cp label_encodings label_encodings.tx.orig # cp label.encodings.site label_encodings
Where possible, test the file on a few systems before approving the file for all systems at your site. For example, install one labeled system as a file server and another labeled system as a user's system. Communicate between the two at all labels. Transfer files at all labels, and so on.
When the file is ready to be installed on the network, see How to Distribute the label_encodings File.
For copying instructions, see How to Copy Files to Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration and Administration.
Note - Store the master copy on labeled media in a protected location.
For copying instructions, see How to Copy Files From Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration and Administration.
You must be in the Security Administrator role in the global zone. To be able to add classifications, you left gaps in the classification numbers in the label_encodings file.
# cp label_encodings label_encodings.orig
# /usr/bin/gedit encodings-file
In the VERSION= section update the version number and the date.
VERSION= Sun Microsystems, Inc. Example Version - 5.11 09/05/28
SCCS keywords are used for the version number and the date. For details, see the sccs(1) man page.
VERSION= Sun Microsystems, Inc. Example Version - %I% %E%
Specify a long name, short name, and numeric value.
name= REGISTERED; sname= R; value= 15;
* name= INTERNAL_USE_ONLY; sname= IUO; value= 12; name= INTERNAL; sname= I; value= 12;
The following example shows three new classifications that are added to the ACCREDITATION RANGE section. Each classification is specified with all compartment combinations valid.
Note - If you rename a classification, update the name in the ACCREDITATION RANGE section.
ACCREDITATION RANGE: classification= UNCLASSIFIED; all compartment combinations valid; * i is new in this file classification= INTERNAL_USE_ONLY; all compartment combinations valid; * n is new in this file classification= NEED_TO_KNOW; all compartment combinations valid; classification= CONFIDENTIAL; all compartment combinations valid except: c c a c b classification= SECRET; only valid compartment combinations: . . . * r is new in this file classification= REGISTERED; all compartment combinations valid;
You might need to make the new classification a minimum classification.
minimum clearance= u; minimum sensitivity label= u; minimum protect as classification= u;
Note - Make sure that you set a minimum clearance that is dominated by all the clearances that you plan to assign to users. Similarly, make sure that the minimum sensitivity label is dominated by all the minimum labels that you plan to assign to users.
Verify the file by performing How to Analyze and Verify the label_encodings File.
Distribute the file by following How to Distribute the label_encodings File.
You must be in the Security Administrator role in the global zone.
# cp label_encodings label_encodings.orig
# /usr/bin/gedit encodings-file
In the CLASSIFICATIONS section, specify the initial compartments as part of the classification definition. For example, in the following CLASSIFICATIONS section, WEB COMPANY has two initial compartments, 4 and 5:
CLASSIFICATIONS: name= PUBLIC; sname= P; value= 1; name= WEB COMPANY; sname= WEBCO; value= 2; initial compartments= 4-5 ;
In the following example, the initial compartment bits, 4 and 5, are assigned to three words:
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= 4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= 5;
Inverse words are created by preceding an initial compartment with a tilde (~).
In the following example, the initial compartment bits, 4 and 5, are preceded by a tilde in the WEBC words:
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= ~4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= ~5;
Verify the file by performing How to Analyze and Verify the label_encodings File.
For any compartment bits that are not reserved for later assignment, you need to assign a word to the bit in the following sections:
SENSITIVITY LABELS: WORDS:
INFORMATION LABELS: WORDS:
COMPARTMENTS: WORDS:
Certain labels must always be present in a label_encodings file:
One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined
You must be in the Security Administrator role in the global zone.
Provide a name that is different from the installed label_encodings file.
# /usr/bin/gedit label_encodings.myco.single
For example, you could set up an encodings file with the INTERNAL_USE_ONLY classification, and specify no words.
VERSION= MyCompany Single-Label Encodings - 1.01 10/10/10 . . . CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; INFORMATION LABELS: WORDS: SENSITIVITY LABELS: WORDS: CLEARANCES: WORDS: CHANNELS: WORDS: PRINTER BANNERS: WORDS:
In the following example, the INTERNAL classification is encoded.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;
For details, see Modifying Oracle Extensions (Task Map).
Example 3-8 Defining the Accreditation Range in a Single-Label Encodings File
The following example shows the settings in the ACCREDITATION RANGE section for a single-level label encodings file. A single ANY_CLASS classification is defined. Compartment words A, B, and REL CNTRY 1 are specified for all types of labels.
ACCREDITATION RANGE: classification= ANY_CLASS; only valid compartment combinations: ANY_CLASS A B REL CNTRY1 minimum clearance= ANY_CLASS A B REL CNTRY1; minimum sensitivity label= ANY_CLASS A B REL CNTRY1; minimum protect as classification= ANY_CLASS;
Example 3-9 Changing the Single Label Name
In this example, the label_encodings.example file is changed to handle a single-label company. The name= value is changed from SECRET to INTERNAL_USE_ONLY. The sname= value is changed from s to INTERNAL. Neither the value= nor the initial compartments= definition is changed.
CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; initial compartments= 4-5 190-239;
In the ACCREDITATION RANGE section, the short name of the classification is replaced. Also, the minimum values are replaced with the new sname.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;
Verify the file by performing How to Analyze and Verify the label_encodings File.
Distribute the file by following How to Distribute the label_encodings File.
You must be in the Security Administrator role in the global zone.
The entries must exactly match the entries in the SENSITIVITY LABELS: WORDS: section.
Tip - Encode the sensitivity label words, then copy the words to the INFORMATION LABELS section.
This step ensures that no label is indistinguishable from the label ADMIN_HIGH.
This step ensures that no label is indistinguishable from the label ADMIN_HIGH.
This step ensures that all labels can be mapped to CIPSO labels.
|