JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Label Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


1.  Labels in Trusted Extensions Software (Overview)

2.  Planning Labels in Trusted Extensions(Tasks)

Planning Labels in Trusted Extensions (Task Map)

How to Plan for Labels

How to Plan the Encodings File

Sources for Encodings Files

Encodings Files From Trusted Extensions

Default label_encodings File

Differences Between Simplified GFI Label Encodings Files

Simplified GFI Multilevel Label Encodings File

Simplified GFI Single-Level Label Encodings File

Oracle Extensions to label_encodings File

3.  Creating a Label Encodings File (Tasks)

4.  Labeling Printer Output (Tasks)

5.  Customizing the LOCAL DEFINITIONS Section (Tasks)

6.  Planning an Organization's Encodings File (Example)

A.  Encodings File for SecCompany (Example)


Planning Labels in Trusted Extensions (Task Map)

Planning labels requires general knowledge of site security policy and specific knowledge of the syntax of the label_encodings file. The security administrator is responsible for planning labels.

The following task map describes the planning tasks and points to more information.

For Instructions
Study and outline your label_encodings file.
Make a label_encodings file that enforces your site security policy.
Build an extensible label_encodings file.
Create a file that can be modified without affecting existing label definitions.

How to Plan for Labels

  1. Allow time to build a correct label_encodings file.

    Building the encodings for a site and making them correct can be a time-consuming process. A system cannot be configured until the correct label_encodings file is installed.

  2. Know your site's security policy.

    Many sites already have a security policy that was developed according to government methods. Commercial businesses, even businesses that do not have much experience in planning labeled security, can start by examining their goals for information protection. These goals can be used to make some common-sense decisions about how to use labels. If the company has developed legal requirements for labeling printed information and email, those guidelines are a good place to start.

  3. Study the U. S. government's label_encodings file.

    The government's description of the file is in the Compartmented Mode Workstation Labeling: Encodings Format: Defense Intelligence Agency document [DDS-2600-6216-93].

  4. Determine your site's entries in the LOCAL DEFINITIONS section of the file.

    For suggestions and examples, see Chapter 5, Customizing the LOCAL DEFINITIONS Section (Tasks).

  5. Finalize your encodings before installing Trusted Extensions.

    Changing the label_encodings file on a running system is risky. For more information, see the label_encodings(4) man page.

How to Plan the Encodings File

The following practices help you create a correct label_encodings file that can be safely extended later.


Caution - For CLASSIFICATIONS and COMPARTMENTS, the security administrator can later change the textual representation. However, the integer and bit values cannot be changed without potentially serious complications.

  1. Create a label_encodings file.

    For ideas, see Sources for Encodings Files. For the procedure, see Managing a Label Encodings File (Task Map).

  2. Leave gaps in the label_encodings file to add items.
    1. Leave gaps when you number classifications.

      For example, you could number classifications in increments of 10. The increments allow intermediate classifications to be added later.

    2. Leave gaps in compartment bits.

      Leave gaps in compartment bit numbers for possible later additions.

    3. Reserve some initial compartment bits for later definition.

      If your site uses inverse compartments, see Default and Inverse Words. To learn more about inverse compartments, see Compartmented Mode Workstation Labeling: Encodings Format.

  3. Determine classifications for the site.

    As described in Figure 1-2, the total number of classification values that you can use is 254. Do not use classification 0.

    A Trusted Extensions system treats a classification value of 10 as more security-sensitive than a classification value of 2. The textual representations are not used to determine security levels.

    The same classification value cannot be assigned to different names. Each classification must be higher or lower, or disjoint, from any other classification. Every classification must be distinct.

    A table can be used to plan classifications. For a completed example, see Table 6-2.

  4. Determine the compartments for the site.

    Decide how data and programs are grouped. Decide whether any data or programs can be intermixed. For example, perhaps purchase order data should not be viewable by programs that manage personnel files. Perhaps purchase order data should be accessible to programs that address shipment tracking problems.

    At this point, do not think in terms of users. Think of what, not who.

  5. Name the classifications and compartments.

    CLASSIFICATIONS and WORDS (for compartments) in the label_encodings file have two forms: a mandatory long name and an optional short name. Short names can be used interchangeably with long names when labels are being specified.

  6. Arrange the relationships among the classifications and among the compartments.

    Compartments are not intrinsically hierarchical. However, compartments can be configured to have hierarchical relationships. Before setting up relationships, study the example section in Compartmented Mode Workstation Labeling: Encodings Format.

    To make this step easier, use a large board and pieces of paper that represent your classifications and compartments. For an example, see Figure 2-1. With this method, you can visualize the relationships and rearrange the pieces until they all fit together.

    Note - Unless you are creating a set of encodings that must be compatible with another organization's labels, you can assign any valid number as a compartment bit. Keep track of the numbers that you use and their relationships to each other.

    Figure 2-1 Sample Planning Board for Label Relationships

    Illustration shows a board to help administrators plan label assignments.
  7. Arrange the labels in order of increasing sensitivity.
  8. Decide which clearances to assign to which users.

    You can use a table to plan clearances. For a completed example, see Table 6-5.

    When you assign a clearance to a user, the classification component of the clearance must dominate all classifications at which the user can work. The clearance can be equal to the user's highest work classification. The compartment component of the clearance must include all compartments that the user might need.

  9. Associate the definitions for each compartment with an internal format of integers, bit patterns, and logical relationship statements.

    A table can be used to track compartment bit assignments. For a completed example, see Table 6-4.

  10. Copy the WORDS section under SENSITIVITY LABELS to the INFORMATION LABELS section.

    Although Trusted Extensions does not support information labels, the INFORMATION LABELS: WORDS: section must be identical to the SENSITIVITY LABELS: WORDS: section to be a valid encodings file.

  11. Decide which colors to associate with which labels.

    For suggestions and examples, see Specifying Colors for Labels.

  12. Analyze the label relationships.

    On a system that is configured with Trusted Extensions, use the chk_encodings -a command to generate a detailed report on the label relationships in your label_encodings file.

    # chk_encodings -a encodings-file