Trusted Solaris Label Administration

Adding or Renaming a Classification

The security administrator role can replace classification names defined in the default demonstration label_encodings file, define new classification names, or create a new file with unique classifications.

Number of Classifications

The total number of classifications that can be defined at a site is 255.

Keywords Defined for Classifications

The following table shows the keywords that can be defined for classifications. Keywords that begin with an asterisk (*) are optional. See "Setting Default and Inverse Words" for more about how to set up optional initial compartments and markings that may be associated with classifications.

Table 2-2 Values for Classifications


Value	Requirements
name=	Cannot contain (/) or (,) or (;). All other alphanumeric characters and white space are allowed. Users can enter either the name or the sname or the aname when specifying labels.
sname=	Required in classifications only. The short name appears in sensitivity labels (within brackets).
*aname=	Name used only for input by users. The alternate name can be entered by users any time a classification is needed.
value=	The values you assign should represent the actual hierarchy among the classifications and leave room for later expansion. 0 is reserved for ADMIN_LOW. Values can start at 1 and go to 255.
*initial compartments=	Specify bit numbers for any default compartment words (words that should initially appear in any label that has the associated classification). ADVANCED: Also specify bit numbers for any inverse words. Recommended: set aside initial compartments for later additions of inverse words (if your site uses inverse words) for all but the minimum classification. It is not recommended to have initial compartments or markings for the minimum classification
*initial markings=	Used for information labels, which are not used in Trusted Solaris 7 and later releases. Do not define.

Unless you are creating a set of encodings that must be compatible with another organization's label encodings, do not worry about which numbers to use for compartment bits. Keep track of the ones you use and their relations to each other.

The following example shows the top of the demonstration Trusted Solaris label_encodings file, with the CLASSIFICATIONS section.

Example 2-3 Trusted Solaris Demonstration label_encodings File (Top)

CLASSIFICATIONS:

*
name= UNCLASSIFIED;  sname= U;  value= 1;
name= CONFIDENTIAL;  sname= C;  value= 4; initial compartments= 4-5 190-239;
name= SECRET;        sname= S;  value= 5; initial compartments= 4-5 190-239;
name= TOP SECRET;    sname= TS; value= 6; initial compartments= 4-5 190-239;

Each classification defined in Example 2-3 has the mandatory name, sname, and value. The CONFIDENTIAL, SECRET, and TOP SECRET classifications have initial compartments, while UNCLASSIFIED has none.

The following table shows some initial compartments bit assignments and what they mean.

Table 2-3 Example Initial Compartments Bit Assignments and What They Mean


initial compartments= 4 5 100-227;	compartment bits 1, 5, and 100 through 239 are initially on (set to 1) in a label with this classification.

Some of the initial compartments shown in Example 2-3 are used later to define default and inverse words, and some are reserved for possible later definitions of inverse words.

The following example shows a simple set of classifications that have no initial compartments.

Example 2-4 Simple Classifications Defined Without Initial Compartments or Markings

CLASSIFICATIONS:

name= PUBLIC; sname= PUBLIC; value= 1;
name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4;
name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5;
name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6;
initial compartments= 10;

Setting Default and Inverse Words

When a bit is defined as either an initial compartment or initial marking, that means that the bit is 1 in every label that contains the classification. Any bit specified for an initial compartment can be defined later in the label_encodings file so as to create either a default word or an inverse word.

A default compartment word is a word that appears in any label that contains the classification.
An inverse compartment word is a word that appears in a label that has the associated classification when another word you define with the inverse compartment's bit is not present.

The following table summarizes the requirements for initial compartments values associated with classifications.

Table 2-4 Initial Compartments for Classifications


Value	Requirements
*initial compartments=	Specify bit numbers for any default compartment words (words that should always appear in any label that has the associated classification). ADVANCED: Also specify bit numbers for any inverse words. Recommended: set aside initial compartments for later additions of inverse words.

Unless the encodings must be compatible with those of another organization, do not worry about which numbers to use for compartment bits. Keep track of the ones you use and their relations to each other.

The following example shows the PUBLIC classification assigned no initial compartments while the SUN FEDERAL classification is assigned initial compartments 4 and 5.

Example 2-5 Simplified Assignment of Initial Compartments

name= PUBLIC;  sname= P;  value= 1;
name= SUN FEDERAL;  sname= SUNFED;  value= 4; initial compartments= 4-5

With the bits assigned in Example 2-5, a label that includes the PUBLIC classification has no default compartments assigned, while a label that includes the SUN FEDERAL classification always has compartment bits 4 and 5 turned on. See the example below and the following text for how these initial compartment bits can be assigned to words.

Example 2-6 Example of Defining Default and Inverse SENSITIVITY LABELS Words

SENSITIVITY LABELS:

WORDS:

name= DIVISION ONLY;     sname= DO;    minclass=  SUN FEDERAL; compartments= 4-5;
name= SMCC AMERICA;     sname= SMCCA;  minclass= SUN FEDERAL; compartments= ~4;
name= SMCC WORLD;     sname= SMCCW;    minclass= SUN FEDERAL; compartments= ~5;

The example above shows WORDS defined in the SENSITIVITY LABELS section of the label_encodings file. Compartment bits 4 and 5 are assigned to the word, DIVISION ONLY. Both compartment bits 4 and 5 are each also associated with an inverse word: SMCC AMERICA is assigned to the inverse compartment bit ~4 and SMCC WORLD is assigned to the inverse compartment bit ~5. As a result, a sensitivity label with the SUN FEDERAL classification initially includes the word DIVISION ONLY and its binary representation has the compartment bits 4 and 5 turned on, while a sensitivity label with the PUBLIC classification always has compartment bits 4 and 5 turned off, and as a result, the words SMCC AMERICA and SMCC WORLD are included in the label. Because a minclass of IUO is specified for the inverse words, SMCC AMERICA and SMCC WORLD are not displayed in the PUBLIC sensitivity label; the presence of these two inverse words is understood.

For any compartment or marking bits not reserved for later assignment, remember that for every initial compartment bit specified, you need to assign a word to the bit in the SENSITIVITY LABELS: WORDS: and in the INFORMATION LABELS: WORDS: sections section.