1. Labels in Trusted Extensions Software
3. Making a Label Encodings File (Tasks)
Hierarchical Compartment Words
Managing Label Encodings (Task Map)
How to Create a label_encodings File
How to Analyze and Verify the label_encodings File
How to Distribute the label_encodings File
How to Add or Rename a Classification
How to Specify Default and Inverse Words
How to Create a Single-Label Encodings File
4. Labeling Printer Output (Tasks)
5. Customizing LOCAL DEFINITIONS
6. Example: Planning an Organization's Labels
Caution - The safest time to modify a label_encodings file is when the first host is installed. Proceed with caution when modifying a file that is in use. For details, see the label_encodings(4) man page. |
The following task map describes the tasks for modifying and installing a label_encodings file.
|
For sample files, see the /etc/security/tsol directory on an installed system. The files are described in Labels Files in Solaris Trusted Extensions Packages.
You can create this file before you install Trusted Extensions on your first system. On that first system, you check the file. You can also create this file on the first system that you install with Trusted Extensions. This procedure must be completed before a second computer is configured with Trusted Extensions.
On a system that is configured with Trusted Extensions, you must be in the global zone in the Security Administrator role. On other systems, you can create and edit the file in any editor.
In CDE, the Trusted_Extensions folder in the Application Manager contains two actions for the encodings file.
Edits and checks the syntax of the specified label_encodings file.
Checks the syntax of a specified label_encodings file.
For details, see How to Plan the Encodings File.
You must be in the global zone in the Security Administrator role.
In a terminal, use the chk_encodings -a command to analyze and report on label relationships.
$ chk_encodings -a encodings-file
The Check Encodings action runs the chk_encodings command on the specified file.
Do you want to install this label_encodings file? yes
Where possible, test the file on a few systems before approving the file for all systems at your site.
For copying instructions, see How to Copy Files to Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
For copying instructions, see How to Copy Files to Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
For copying instructions, see How to Copy Files From Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
You must be in the Security Administrator role in the global zone.
Use the Edit Encodings action. For details, see How to Create a label_encodings File.
In the VERSION= section put your site's name, a title for the file, a version number and the date.
VERSION= Sun Microsystems, Inc. Example Version - 5.10 04/05/28
Trusted Extensions uses SCCS keywords for the version number and the date. For details, see the sccs(1) man page.
VERSION= Sun Microsystems, Inc. Example Version - %I% %E%
In the CLASSIFICATIONS section, supply the long name, short name, and numeric value for the new classification.
name= NEW_CLASS; sname= N; value= 2;
Add the new classification to the ACCREDITATION RANGE section.
The following example shows three new classifications added to the ACCREDITATION RANGE section. Each classification is specified with all compartment combinations valid.
ACCREDITATION RANGE: classification= UNCLASSIFIED; all compartment combinations valid; * i is new in this file classification= INTERNAL_USE_ONLY; all compartment combinations valid; * n is new in this file classification= NEED_TO_KNOW; all compartment combinations valid; classification= CONFIDENTIAL; all compartment combinations valid except: c c a c b classification= SECRET; only valid compartment combinations: . . . * r is new in this file classification= REGISTERED; all compartment combinations valid;
You might need to make the new classification a minimum classification.
minimum clearance= u; minimum sensitivity label= u; minimum protect as classification= u;
Note - Make sure that you set a minimum clearance that is dominated by all the clearances that you plan to assign to users. Similarly, make sure that the minimum sensitivity label is dominated by all the minimum labels that you plan to assign to users.
You must be in the Security Administrator role in the global zone.
Use the Edit Encodings action. For details, see How to Create a label_encodings File.
In the CLASSIFICATIONS section, specify compartments as part of the classification definition.
CLASSIFICATIONS: name= PUBLIC; sname= P; value= 1; name= WEB COMPANY; sname= WEBCO; value= 2; initial compartments= 4-5 ;
Assign an initial compartment bit to the word.
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= 4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= 5;
Inverse words are created by preceding an initial compartment with a tilde (~).
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= ~4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= ~5;
For any compartment bits that are not reserved for later assignment, you need to assign a word to the bit in the following sections:
SENSITIVITY LABELS: WORDS:
INFORMATION LABELS: WORDS:
COMPARTMENTS: WORDS:
Certain labels must always be present in a label_encodings file:
One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined
You must be in the Security Administrator role in the global zone.
Use the Edit Encodings action. For details, see How to Create a label_encodings File. Provide a name that is different from the installed label_encodings file.
For example, you could set up an encodings file with the INTERNAL_USE_ONLY classification, and specify no words.
VERSION= Single-Label Encodings . . . CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; INFORMATION LABELS: WORDS: SENSITIVITY LABELS: WORDS: CLEARANCES: WORDS: CHANNELS: WORDS: PRINTER BANNERS: WORDS:
The following example encodes the INTERNAL classification.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;
For details, see Chapter 5, Customizing LOCAL DEFINITIONS.
Example 3-8 Defining the Accreditation Range in a Single-Label Encodings File
The following example shows the settings in the ACCREDITATION RANGE: section. A single ANY_CLASS classification is defined. Compartments words A, B, and REL CNTRY 1 are specified for all types of labels.
ACCREDITATION RANGE: classification= ANY_CLASS; only valid compartment combinations: ANY_CLASS A B REL CNTRY1 minimum clearance= ANY_CLASS A B REL CNTRY1; minimum sensitivity label= ANY_CLASS A B REL CNTRY1; minimum protect as classification= ANY_CLASS;
Example 3-9 Changing the Single Label Name
In this example, the label_encodings.example file is changed to handle a single-label company. The name= value is changed from SECRET to INTERNAL_USE_ONLY. The sname= value is changed from s to INTERNAL. Neither the value= nor the initial compartments= definition is changed.
CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; initial compartments= 4-5 190-239;
In the ACCREDITATION RANGE section, the short name of the classification is replaced. Also, the minimums are replaced with the new sname.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;
You must be in the Security Administrator role in the global zone. You must have an encodings file that does not have a LOCAL DEFINITIONS section.
Append the section from a Trusted Extensions-supplied label_encodings file. Trusted Extensions-supplied files are in the /etc/security/tsol directory.
For details, see Modifying Sun Extensions (Task Map).
You must be in the Security Administrator role in the global zone.
Use the Edit Encodings action. For details, see How to Create a label_encodings File.
The entries must exactly match the entries in the SENSITIVITY LABELS: WORDS: section.
Tip - Encode the sensitivity label words, then copy the words to the INFORMATION LABELS section.
This step ensures that no label is indistinguishable from the label ADMIN_HIGH.
This step ensures that no label is indistinguishable from the label ADMIN_HIGH.
This step ensures that all labels can be mapped to CIPSO labels.