test

Trusted Solaris Label Administration

Chapter 2 Creating or Editing the Encodings File

This chapter describes the steps for preparing the label_encodings(4) file.

This chapter includes these topics:

This chapter also describes these procedures:

Readying the Label Encodings File Before the NIS+ Master or Standalone System is Configured

The overall process of configuring the label_encodings file is described below:

Labels-Related Files and Central Administration

After the NIS+ master is fully configured (with the master label_encodings file in place), the install team goes on to install the other hosts in the Trusted Solaris distributed system. The security administrator role should ensure that an identical copy of the label_encodings file is installed on every host. The label_encodings file is not administered by NIS+, so another means of distribution must be used. See "Distributing Changed Configuration Files to Hosts Across the Network " in "Miscellaneous Tasks and Procedures" in Trusted Solaris Administrator's Procedures for more information.

Actions for Editing and Checking the label_encodings File

The label_encodings file is a flat, text file. The maximum line length in the label_encodings file is 256 bytes. The file can be edited with any text editor. The file must be checked before installation by using the chk_encodings(1M) utility. The security administrator role uses one of the two actions shown in Table 2-1. The actions are in the System_Admin folder within the Application Manager.

Table 2-1 Administrative Actions for Editing the label_encodings File

Action Name 

Purpose  

Edit Encodings

Edits and checks the specified label_encodings file.

Check Encodings

Checks the specified label_encodings. If the file specified for editing is not the installed version, after checking Check Encodings offers the option of installing the checked file. It creates a backup of the installed label_encodings file before overwriting it, while preserving its required DAC attributes.

Note -

The label_encodings file may be created or edited on any system. However, it must be checked and tested on a host running the Trusted Solaris operating environment.

Hints

    Make a backup copy (on a tape or floppy disk) of the original file installed with the system. If modifying the file on an operational system, back up the current file.

If your modifications create labels that cannot be resolved, you may have to manually reset labels to ADMIN_LOW before assigning the new labels from the modified file. Alternatively, you may wish to restore a known, usable label_encodings file from tape or floppy until problems with the new version are debugged. Backup copies are made using File Manager options.

Note -

The File Manager allows the security administrator role to restore ownership, group, and permissions on files. By default, the needed changes to maintain the correct file attributes cannot be made by using utilities on the command line.

    Code the file using any text editor, and save a hard copy when done.

    This procedure is detailed in "To Modify the label_encodings (4) File". As soon as possible after you are satisfied with the file, print it out, and keep a record.

    Check the syntax with the chk_encodings(1M) command.

    Check the syntax and relationships of the labels with the chk_encodings command and the -a option.

    Test the encodings file on a standalone test machine if possible before moving it to a working system.

    Place an identical copy of the label_encodings file on every machine.

Differences Between Single-label and Installed Label Encodings Files

The label_encodings.single file is almost identical to the multilabel version that is installed by default. The only differences are in the settings in the ACCREDITATION RANGE section, which defines which of the classifications and compartments are usable by ordinary users.

Multiple Sensitivity Labels Version

This section describes the ACCREDITATION RANGE settings in the default label_encodings file, as shown in the following example.

Example 2-1 ACCREDITATION RANGE Settings in the Default Multilabel Encodings File


ACCREDITATION RANGE: 
classification= u;   all compartment combinations valid;
classification= c;   all compartment combinations valid;
classification= s;   all compartment combinations valid;
classification= ts;   all compartment combinations valid;

minimum clearance= c; 
minimum sensitivity label= u; 
minimum protect as classification= u;

To allow the site to use all the classifications and compartment words defined elsewhere in the label_encodings.multi file, the following are defined in the ACCREDITATION RANGE section:

Single Sensitivity Label Version

This section describes the ACCREDITATION RANGE settings in the default label_encodings file, as shown in the following example.

Example 2-2 ACCREDITATION RANGE Settings in the Default Single-label Encodings File


ACCREDITATION RANGE:  classification= s;   	
only valid compartment combinations:  s a b rel cntry1  
minimum clearance= s Able Baker NATIONALITY: CNTRY1; 
minimum sensitivity label= s A B REL CNTRY1; 
minimum protect as classification= s;

The label_encodings.single file restricts the user ACCREDITATION RANGE in the ACCREDITATION RANGE section:

An easy way to run with a single sensitivity label is to change only the ACCREDITATION RANGE section in the label_encodings.single file. Alternately, you can create an encodings file from scratch with only one classification and with either no compartments or with only the compartments you need. See "To Replace the Single Label in the Default Single-label Encodings File" for guidelines for both approaches.

Changing the label_encodings File After System Start Up

After the Trusted Solaris system is fully configured and running, the security administrator role can later modify the label_encodings(4) file. See the man page for what to avoid and for how to safely make other changes.

Running Without Labels

An organization may not want non-administrative users to see labels or be aware of mandatory access controls. By following the steps in "To Set Up No Labels Operation", the security administrator role can configure what appears to be a no labels operation, so that all normal users work in an environment that is visually almost the same as working in the Solaris environment with the CDE window system.

Even if non-administrative users do not see labels, certain labels must always be present:

Note -

Even though Trusted Solaris 7 does not use information labels, the label_encodings file cannot pass chk_encodings(1M) unless it has information labels defined. To fulfill this software requirement, copy the words defined in the SENSITIVITY LABELS WORDS to the INFORMATION LABELS WORDS section.

Word Order Requirements

The order in which words are configured is not enforced, but it is important when setting up relationships between words. See "Specifying CHANNELS" of Chapter 3, Specifying Labels and Handling Guidelines for Printer Output for examples of how the order affects how words must be encoded. See also the DIA Label Encodings Format manual referenced in the Preface.

By convention, the WORDS in the SENSITIVITY LABELS section are arranged in increasing order of importance.

Label Encodings File Template

The label_encodings file has the following sections:

Adding or Renaming a Classification

The security administrator role can replace classification names defined in the default demonstration label_encodings file, define new classification names, or create a new file with unique classifications.

Number of Classifications

The total number of classifications that can be defined at a site is 255.

Keywords Defined for Classifications

The following table shows the keywords that can be defined for classifications. Keywords that begin with an asterisk (*) are optional. See "Setting Default and Inverse Words" for more about how to set up optional initial compartments and markings that may be associated with classifications.

Table 2-2 Values for Classifications

Value 

Requirements 

name= 

Cannot contain (/) or (,) or (;). All other alphanumeric characters and white space are allowed. Users can enter either the name or the sname or the aname when specifying labels. 

sname=

Required in classifications only. The short name appears in sensitivity labels (within brackets).

*aname= 

Name used only for input by users. The alternate name can be entered by users any time a classification is needed.

value= 

The values you assign should represent the actual hierarchy among the classifications and leave room for later expansion. 0 is reserved for ADMIN_LOW. Values can start at 1 and go to 255.

*initial compartments= 

Specify bit numbers for any default compartment words (words that should initially appear in any label that has the associated classification).

ADVANCED: Also specify bit numbers for any inverse words. Recommended: set aside initial compartments for later additions of inverse words (if your site uses inverse words) for all but the minimum classification. It is not recommended to have initial compartments or markings for the minimum classification 

*initial markings= 

Used for information labels, which are not used in Trusted Solaris 7 and later releases. Do not define.

Unless you are creating a set of encodings that must be compatible with another organization's label encodings, do not worry about which numbers to use for compartment bits. Keep track of the ones you use and their relations to each other.

The following example shows the top of the demonstration Trusted Solaris label_encodings file, with the CLASSIFICATIONS section.

Example 2-3 Trusted Solaris Demonstration label_encodings File (Top)


CLASSIFICATIONS:

*
name= UNCLASSIFIED;  sname= U;  value= 1;
name= CONFIDENTIAL;  sname= C;  value= 4; initial compartments= 4-5 190-239;
name= SECRET;        sname= S;  value= 5; initial compartments= 4-5 190-239;
name= TOP SECRET;    sname= TS; value= 6; initial compartments= 4-5 190-239;

Each classification defined in Example 2-3 has the mandatory name, sname, and value. The CONFIDENTIAL, SECRET, and TOP SECRET classifications have initial compartments, while UNCLASSIFIED has none.

The following table shows some initial compartments bit assignments and what they mean.

Table 2-3 Example Initial Compartments Bit Assignments and What They Mean

initial compartments= 4 5 100-227; 

compartment bits 1, 5, and 100 through 239 are initially on (set to 1) in a label with this classification. 

Some of the initial compartments shown in Example 2-3 are used later to define default and inverse words, and some are reserved for possible later definitions of inverse words.

The following example shows a simple set of classifications that have no initial compartments.

Example 2-4 Simple Classifications Defined Without Initial Compartments or Markings


CLASSIFICATIONS:

name= PUBLIC; sname= PUBLIC; value= 1;
name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4;
name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5;
name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6;
initial compartments= 10;

Setting Default and Inverse Words

When a bit is defined as either an initial compartment or initial marking, that means that the bit is 1 in every label that contains the classification. Any bit specified for an initial compartment can be defined later in the label_encodings file so as to create either a default word or an inverse word.

The following table summarizes the requirements for initial compartments values associated with classifications.

Table 2-4 Initial Compartments for Classifications

Value 

Requirements 

*initial compartments= 

Specify bit numbers for any default compartment words (words that should always appear in any label that has the associated classification). 

ADVANCED: Also specify bit numbers for any inverse words. Recommended: set aside initial compartments for later additions of inverse words. 

Unless the encodings must be compatible with those of another organization, do not worry about which numbers to use for compartment bits. Keep track of the ones you use and their relations to each other.

The following example shows the PUBLIC classification assigned no initial compartments while the SUN FEDERAL classification is assigned initial compartments 4 and 5.

Example 2-5 Simplified Assignment of Initial Compartments


name= PUBLIC;  sname= P;  value= 1;
name= SUN FEDERAL;  sname= SUNFED;  value= 4; initial compartments= 4-5

With the bits assigned in Example 2-5, a label that includes the PUBLIC classification has no default compartments assigned, while a label that includes the SUN FEDERAL classification always has compartment bits 4 and 5 turned on. See the example below and the following text for how these initial compartment bits can be assigned to words.

Example 2-6 Example of Defining Default and Inverse SENSITIVITY LABELS Words


SENSITIVITY LABELS:

WORDS:

name= DIVISION ONLY;     sname= DO;    minclass=  SUN FEDERAL; compartments= 4-5;
name= SMCC AMERICA;     sname= SMCCA;  minclass= SUN FEDERAL; compartments= ~4;
name= SMCC WORLD;     sname= SMCCW;    minclass= SUN FEDERAL; compartments= ~5;

The example above shows WORDS defined in the SENSITIVITY LABELS section of the label_encodings file. Compartment bits 4 and 5 are assigned to the word, DIVISION ONLY. Both compartment bits 4 and 5 are each also associated with an inverse word: SMCC AMERICA is assigned to the inverse compartment bit ~4 and SMCC WORLD is assigned to the inverse compartment bit ~5. As a result, a sensitivity label with the SUN FEDERAL classification initially includes the word DIVISION ONLY and its binary representation has the compartment bits 4 and 5 turned on, while a sensitivity label with the PUBLIC classification always has compartment bits 4 and 5 turned off, and as a result, the words SMCC AMERICA and SMCC WORLD are included in the label. Because a minclass of IUO is specified for the inverse words, SMCC AMERICA and SMCC WORLD are not displayed in the PUBLIC sensitivity label; the presence of these two inverse words is understood.

For any compartment or marking bits not reserved for later assignment, remember that for every initial compartment bit specified, you need to assign a word to the bit in the SENSITIVITY LABELS: WORDS: and in the INFORMATION LABELS: WORDS: sections section.

Setting Up Single-label Operation

You can use or modify the default example single-label file (/etc/security/tsol/label_encodings.single), copy the /etc/security/tsol/label_encodings.simple file manually from Appendix A, or create an encodings file with one classification and any number of compartments. The following example shows the settings in the ACCREDITATION RANGE: section with a single ANY_CLASS classification defined and compartments words A, B, and REL CNTRY 1 specified for all types of labels.

Example 2-7 ACCREDITATION RANGE Setting to Restrict Operations to a Single Label


ACCREDITATION RANGE:

classification= ANY_CLASS;      only valid compartment combinations:

ANY_CLASS A B REL CNTRY1

minimum clearance= ANY_CLASS A B REL CNTRY1;
minimum sensitivity label= ANY_CLASS A B REL CNTRY1;
minimum protect as classification= ANY_CLASS;

Any of these ways of creating single-label operation also require supporting procedures described in "To Configure Labels Not Visible to Users".

Label_encodings-related Procedures

To Modify the label_encodings (4) File

Caution - Caution -

Modifying the label_encodings file can safely be done at the time the host is installed. If a need arises where an operational file needs to be changed, proceed with caution. Review the caveats described in the label_encodings(4) file.

  1. Assume the security administrator role in an ADMIN_LOW workspace.

  2. Open a new or existing version of the label_encodings file.

    1. If creating a new version of the label_encodings file, use any text editor to create the file or use the Edit Encodings action.

      The Edit Encodings action both edits and runs chk_encodings(1M) on the file.

      Note -

      If creating a new file from scratch, make sure to include all the sections shown in "Label Encodings File Template" or copy and modify the example in Appendix A, Example: Label Encodings File.

      Note -

      chk_encodings(1M) can be entered on the command line with the -a option to analyze and report on relationships between labels.

    2. When a new version is ready to install, use the Check Encodings action to open and check the file.

      The Check Encodings action runs chk_encodings(1M) on the specified file, and if the file passes the check, the action asks whether you want to overwrite the currently-installed label_encodings file. If the answer is yes, the action creates a backup copy (naming it label_encodings.orig), and overwrites the installed version.

      Note -

      By default, both the security administrator and root roles have the Check Encodings action. The root role uses the action to install the label_encodings file when configuring the system after installation.

    3. If you are installing a new label_encodings, answer affirmatively when prompted.


      Do you want to install this label_encodings file?

  3. Restart the Window Manager from the Workspace Menu to initialize the new encodings file.

  4. On a distributed system of Trusted Solaris hosts, distribute a copy of the label_encodings file from the NIS+ master to the /etc/security/tsol directory on all hosts in the system.

    See "To Copy the label_encodings File to a Floppy Disk" for how to copy the file to a floppy disk for manual distribution of the modified file. See "Distributing Changed Configuration Files to Hosts Across the Network " in "Miscellaneous Tasks and Procedures" in Trusted Solaris Administrator's Procedures for how to use the rdist(1) command distribute a file that is modified after the system is operational.

To Copy the label_encodings File to a Floppy Disk

  1. Assume the security administrator role in an ADMIN_LOW workspace.

  2. Allocate the floppy device at ADMIN_LOW.

    1. Highlight the name of the floppy device.

    2. Move the device to the Allocated Devices list.

    3. In the Update With field, type in ADMIN_LOW.

    4. Click OK.

  3. Double-click the File Manager icon in the Front Panel.

  4. Using the File Manager, navigate to the folder that contains the label_encodings file.

    Note -

    Give another name to the version of the label_encodings file to be copied. For compatibility with the PC file systems on most floppy disks, use a name with fewer than eight characters and without a dot (.) in the name. (A string after a dot in a PC file's name is treated as the suffix that indicates the file's type, like .doc.)

  5. Choose Open Floppy from the File menu.

  6. Highlight the icon for the file.

  7. Drag the file to the floppy disk folder.

  8. On the floppy disk folder, chose Eject from the File menu.

To Copy the label_encodings File from a Floppy Disk

  1. Assume the security administrator role in an ADMIN_LOW workspace.

  2. Allocate the floppy device at ADMIN_LOW.

    1. Highlight the name of the floppy device.

    2. Move the device to the Allocated Devices list.

    3. In the Update With field, type in ADMIN_LOW.

    4. Click OK.

  3. Double-click the File Manager icon in the Front Panel.

  4. Using the File Manager, navigate to the desired destination directory.

  5. Chose Open Floppy from the File menu.

    The floppy disk folder displays.

  6. Highlight the icon for the label_encodings file.

  7. Drag the file from the floppy disk folder to the desired destination directory.

    If dragging the file to the /etc/security/tsol folder, make sure the file being dragged is not named label_encodings. Otherwise, by dropping the file, you will be attempting to overwrite the existing label_encodings file. Instead, copy the file onto the host, and then use the Check Encodings action to install the file, as described in "To Modify the label_encodings (4) File".

  8. On the floppy disk folder, chose Eject from the File menu.

  9. Initialize the new encodings file.

    Restart the Window Manager from the Workspace Menu.

To Add Sun Extensions to a Pre-Existing Label Encodings File

  1. Copy the LOCAL DEFINITIONS sections from one of the default label_encodings files in /etc/security/tsol and append the section to your site's existing file.

    See "To Modify the label_encodings (4) File", if needed, for how to edit and check the file.

  2. Modify the definitions to suit your site's security policy.

    See Chapter 4, Modifying Sun's Extensions in the Local Definitions Section for how to configure the extensions.

  3. Check the file using the Check Encodings action.

  4. When prompted by the Check Encodings action, install the modified version of the label_encodings file.

To Set Up No Labels Operation

The install team should do the following:

  1. Change or accept the name of the single label in the label_encodings.single.

    See "To Replace the Single Label in the Default Single-label Encodings File".

  2. When setting up user accounts in the User Manager, restrict the user to single-label operation.

    The example uses the label PUBLIC.

    1. Configure the user's clearance and initial (minimum) label to equal the only encoded label.


      Clearance: PUBLIC 
Minimum Label: PUBLIC

    2. Configure sensitivity labels to be hidden.


      SL: Hide

To Add or Rename a Classification in the Default label_encodings File

  1. In the security administrator role in an ADMIN_LOW workspace, open thelabel_encodings file for editing.

    See "To Modify the label_encodings (4) File", if needed.

  2. In the VERSION= section put your site's name, a title for the file, a version number and the date. 


    VERSION= Sun Microsystems, Inc. Example Version - 5.8 97/05/28

    Sun uses SCCS keywords for the version number and the date. (See the sccs(1) man page, if needed, for more about SCCS.)


    VERSION= Sun Microsystems, Inc. Example Version - %I% %E%

  3. In the CLASSIFICATIONS section, supply the long name, short name, and numeric value for the new classification. 


    name= NEW_CLASS; sname= N; value= 2;

  4. Add the new classification(s) to the ACCREDITATION RANGE section.

    The following example shows the three new classifications added to the ACCREDITATION RANGE section of the demonstration file. All three (INTERNAL_USE_ONLY, NEED_TO_KNOW, and REGISTERED) are specified with all compartment combinations valid.


    ACCREDITATION RANGE:

classification= UNCLASSIFIED;        all compartment combinations valid;

* i is new in this file
classification= INTERNAL_USE_ONLY;   all compartment combinations valid;

* n is new in this file
classification= NEED_TO_KNOW;        all compartment combinations valid;

classification= CONFIDENTIAL;        all compartment combinations valid except:
c
c a
c b

classification= SECRET;               only valid compartment combinations:
. . .
* r is new in this file
classification= REGISTERED;           all compartment combinations valid;

  5. Adjust the minimums specified in the ACCREDITATION RANGE section if necessary. 


    minimum clearance= u; 
minimum sensitivity label= u; 
minimum protect as classification= u;

  6. If you are done, save and quit the file.

  7. If you want to install the file, use the Check Encodings action and answer yes when asked if you want to install the new version of the file.

To Specify Default and Inverse Words

  1. In the security administrator role in an ADMIN_LOW shell, open the file for editing.

    See "To Modify the label_encodings (4) File" if needed.

  2. Specify initial compartments and/or initial markings in the CLASSIFICATIONS section when defining the classification. 


    CLASSIFICATIONS:
name= PUBLIC;  sname= P;  value= 1;
name= SUN FEDERAL;  sname= SUNFED;  value= 2; initial compartments= 4-5 ;

  3. Specify a default word by assigning an initial compartment or initial marking bit to the word.


    name= DIVISION ONLY;  sname= DO;  minclass=  IUO; compartments= 4-5; 

name= SMCC AMERICA;  sname= SMCCA; minclass= IUO; compartments= 4;  

name= SMCC WORLD;  sname= SMCCW; minclass= IUO; compartments= 5;

  4. Specify an inverse word by assigning an initial compartment preceded by a tilde (~) to the word.


    name= DIVISION ONLY;  sname= DO;  minclass=  IUO; compartments= 4-5; 

name= SMCC AMERICA;  sname= SMCCA; minclass= IUO; compartments= ~4;  

name= SMCC WORLD;  sname= SMCCW; minclass= IUO; compartments= ~5;

To Replace the Single Label in the Default Single-label Encodings File

  1. In the security administrator role in an ADMIN_LOWworkspace, open the /etc/security/tsol/label_encodings.single file for editing.

    See "To Modify the label_encodings (4) File" if needed.

  2. Replace the classification name with an alternate name.

    1. Under the CLASSIFICATIONS: section, change the name SECRET to an alternate name suitable for your site.

      In the example, the name= value is changed from SECRET to INTERNAL_USE_ONLY and the sname= value is changed from s to INTERNAL. For simplicity's sake, neither the value= nor the initial compartments= definitions are changed.


      CLASSIFICATIONS:  
name= INTERNAL_USE_ONLY;  sname= INTERNAL;  value= 5; initial compartments= 4-5 
190-239;

    2. Under ACCREDITATION RANGE, replace the short name of the classification (S) with the new sname.


      ACCREDITATION RANGE:

classification= INTERNAL;      only valid compartment combinations:

INTERNAL a b rel cntry1

  3. If desired, delete the compartments a b rel cntry1 from the accreditation range. 


    ACCREDITATION RANGE:

classification= INTERNAL;    only valid compartment combinations:

INTERNAL

  4. If appropriate, under ACCREDITATION RANGE, replace the definitions for minimum clearance, minimum sensitivity label, and minimum protect as classification with the new sname. 


    ACCREDITATION RANGE:

classification= INTERNAL;      only valid compartment combinations:

INTERNAL

minimum clearance= INTERNAL;
minimum sensitivity label= INTERNAL;
minimum protect as classification= INTERNAL;

To Make Your Own Single-label Encodings File

  1. In the security administrator role in an ADMIN_LOW workspace, open the label_encodings file for editing.

    See "To Modify the label_encodings (4) File" if needed.

  2. Create an encodings file with only one classification and only the desired compartments.

    For example, you could set up a label_encodings file with the INTERNAL_USE_ONLY classification, and specify no words.


    VERSION= Single-label Encodings

. . .
CLASSIFICATIONS:

name= INTERNAL_USE_ONLY;	     sname= INTERNAL;  value= 5;

INFORMATION LABELS:

WORDS:

SENSITIVITY LABELS:

WORDS:

CLEARANCES:

WORDS:

CHANNELS:

WORDS:

PRINTER BANNERS:

WORDS:

  3. In the ACCREDITATION RANGE section, include only one classification and one valid compartment combination.

    Make the settings in the ACCREDITATION RANGE section shown in the example using your own classification, and your own compartment words, if any.


    ACCREDITATION RANGE:

classification= INTERNAL;
only valid compartment combinations:

INTERNAL

minimum clearance= INTERNAL;
minimum sensitivity label= INTERNAL;
minimum protect as classification= INTERNAL;

  4. Encode the LOCAL DEFINITIONS section as described in Chapter 4, Modifying Sun's Extensions in the Local Definitions Section , making sure to set the system default label view to External.

  5. Configure labels not visible to users.

    See "To Configure Labels Not Visible to Users".

To Configure Labels Not Visible to Users

  1. When setting up user accounts using the User Manager, configure users to not see labels and to have only a single label in their label ranges.

    1. Set the default label view to External.

    2. Choose Yes from the Hide SLs menu.

  2. Specify the account's Clearance equal to its Minimum SL.

    With a single clearance and sensitivity label of INTERNAL_USE_ONLY, you would set the Clearance and the Minimum Label to INTERNAL_USE_ONLY.