test

Trusted Solaris Label Administration

Chapter 4 Modifying Sun's Extensions in the Local Definitions Section

This chapter describes what the security administrator role needs to know to define the values in the LOCAL DEFINITIONS section of the label_encodings(4) file. This chapter includes these topics:

This chapter includes these procedures:

Default LOCAL DEFINITIONS Section

Trusted Solaris requires additional keywords beyond those defined in the government-furnished Compartmented Mode Workstation Labeling: Encodings Format. The following example shows the LOCAL DEFINITIONS section of the default label_encodings file.

Example 4-1 LOCAL DEFINITIONS section of label_encodings file


LOCAL DEFINITIONS:
*
*	The names for the administrative high and low name are set to
*	site_high and site_low respectively by the example commands below.
*
*	NOTE:	  Use of these options could lead to interoperability problems
*		with machines that do not have the same alternate names.
*
*Admin Low Name=  site_low;
*Admin High Name= site_high;

default flags= 0x0;
forced flags= 0x0;

Default Label View is External;
Float Process Information Label;

Classification Name= Class;
Compartments Name= Comps;
Markings Name= Marks;

COLOR NAMES:

	label= Admin_Low;	color= #bdbdbd;

	label= u;	color= green;
	label= c;	color= blue;

	label= s;	color= yellow;
	label= ts;	color= red;

	word= sb;	color= cyan;
	word= cc;	color= magenta;

	label= Admin_High;	color= #636363;
* End of local site definitions

Values Specified in the LOCAL DEFINITIONS Section

The security administrator role specifies the following options using keywords in the LOCAL DEFINITIONS section:

For more details on Trusted Solaris extensions to the label encodings keywords, see label_encodings(4)

Changing the Names of Administrative Labels

As shown in the following example, the LOCAL DEFINITIONS: section has two commented-out lines that the security administrator role can activate and possibly edit to substitute alternative names for the administrative labels. See "Issues About the Names of Administrative Labels" and "Changing the Administrative Labels' Names" in Chapter 1, Introduction to Trusted Solaris Label Encodings for needed background. For the procedure, see "To Change the Names of Administrative Labels (Optional)". 


*Admin Low Name= site_low;
*Admin High Name= site_high;

Specifying Whether Other Labels are Substituted for Administrative Labels

Besides the option to specify alternate names for administrative labels, which is described in "To Change the Names of Administrative Labels (Optional)", another related option, the default label view, can be used to substitute other label names. If the label view is set to External, the lowest label in the user accreditation range is substituted for the ADMIN_LOW label, and the highest label in the user accreditation range is substituted for the ADMIN_HIGH label when the label displays.

The relation between these various settings is described in "The Hierarchy of Label View Settings" in Chapter 1, Introduction to Trusted Solaris Label Encodings.

See "To Specify the System-wide Viewing of Administrative Label Names (Optional)" and "To Specify the System-wide Viewing of Substitute Names for Administrative Labels (Optional)".

Note -

The Default Label View must be specified before the Color Names section.

Changing Label Component Names on Label Builders

The default names used in label builder dialog boxes in the window system for classifications and compartments are shown in Example 4-2.

Example 4-2 Default Names for Classifications, and Compartments

Classification Name= Class;
Compartments Name= Comps;

The following figure shows the names CLASS and COMPS used on the Session SL dialog box.

Figure 4-1 Session SL Dialog Box

Graphic

See "To Change Label Component Names Used in Label Builders (Optional)".

Specifying Colors for Labels

In the LOCAL DEFINITIONS: section, the COLOR NAMES: keyword is followed by zero or more color assignments. The default color values are shown in the following figure.

Example 4-3 COLOR NAMES Section in the LOCAL DEFINITIONS Section of label_encodings File


COLOR NAMES:

	label= Admin_Low;	color= #bdbdbd;


	label= u;	color= green;
	label= c;	color= blue;

	label= s;	color= yellow;
	label= ts;	color= red;

	word= sb;	color= cyan;
	word= cc;	color= magenta;

	label= Admin_High;	color= #636363;
*
* End of local site definitions

In this section, the security administrator role assigns colors to words and to labels, The color name can be either a text color name or a hexadecimal color value to be associated with a word or a label. How to specify color values is discussed in "Color Values". A full discussion of how to specify color is outside the scope of this manual. See the discussion under "Color Specification" in the O`Reilly and Associates, Inc. XWindows Systems User's Guide (Vol. III), ISBN number 0-937175-29-3 for more information if desired.

The color assigned to a label's component displays as a background color whenever a label includes the specified label components, according to the ordering rules described below. See Figure 4-2 for an example of how the color is used. Although the example is not in color, the PUBLIC, INTERNAL, and NTK_SALES workspace buttons are colored differently than the standard workspace buttons.

Note -

The windows software computes a complementary color for the lettering.

Figure 4-2 Window Label with a Background Color from the COLOR NAMES Section

Graphic

Order of Color Specification

Colors are assigned to labels and to words within labels using the two following syntaxes:


word= label name;     color= color name
or
label= label name;     color= color name;

The color used for any label is determined by the order of any defined entries that are part of the label.

  1. If a label contains a compartment word that has one or more colors specified, the color value associated with the first word= value is used.

  2. If a label contains none of the compartment words that are associated with colors, if any exact match exists for the label name, then the specified color is used.

  3. If there is no exact match for the label, the color associated with the first specified label= value for the classification of the label is used.

  4. If the classification has no color assigned, the color assigned to the first label that contains the same classification is used.

    Following rule 3 in a system with the color definitions shown in Example 4-4, the label TS A displays with a yellow background because yellow is the color assigned to the TS, classification.With the same definitions, any label with the C classification displays with the color blue, unless the label also contains the word B, in which case it displays with the color orange. However, any label with the U classification always displays with the color green (because B is defined elsewhere in the encodings as having a minclass of C, so it never appears in the same label with the classification U).

Example 4-4 Colors Assigned to Words and Labels


label= u;       color= green
label= c;       color= blue
label= S;       color= red;
word= B;        color= orange;
label= TS;      color= yellow;
label= TS SA;   color= khaki;

Following rule 4 in a system with the color definitions shown in the above example, TS A displays with the khaki background color because the TS classification did not have a color assigned, and TS SA is the only label that includes the TS classification and that has a color (khaki) assigned.

Example 4-5 Another Example of Colors Assigned to Words and Labels 


        label= u;       color= green
        label= c;       color= blue
        label= S;       color= red;
        word= B;        color= orange;
        label= TS SA;   color= khaki;

Color Values

The /usr/openwin/lib/rgb.txt database translates color names into red, green, blue values. You can either refer to the rgb.txt file for color names to use for your site's labels or use hexadecimal color values.

Briefly, here are a few high-level points about color values:.

To minimize conflicts you should use color names, or use hexadecimal color values that you know have been specified for other applications that display without color flashing.

The default color values defined in Trusted Solaris label_encodings COLOR NAMES section have been chosen with these caveats in mind (see the following example).

Example 4-6 Default COLOR NAMES Assigned to Label Components 


label= Admin_Low;	color= #bdbdbd;
	label= u;	color= green;
	label= c;	color= blue;
	label= s;	color= yellow;
	label= ts;	color= red;
	word= sb;	color= cyan;
	word= cc;	color= magenta;
	label= Admin_High;	color= #636363;

See "To Assign a Color to a Label or Word".

Planning Color Names

The following table may be used for planning color names.

Table 4-1 Color Names Planner

Label or Name (label= or name=) 

Color 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Procedures for Modifying Sun Extensions

To Change the Names of Administrative Labels (Optional)

  1. In the security administrator role in an ADMIN_LOW workspace, open the label_encodings file for editing.

    See "To Modify the label_encodings (4) File", if needed.

  2. Find the lines in the LOCAL DEFINITIONS section that define the administrative label names.


    *Admin Low Name= site_low;
*Admin High Name= site_high;

  3. Remove the asterisk (*) comment sign from the beginning of the lines that define the administrative names

  4. If desired, replace site_low and site_high with names that are consistent with your site's security policy. 


    Admin Low Name= your_choice;
Admin High Name= your_choice;

  5. If you are done, save and close the file.

To Specify the System-wide Viewing of Administrative Label Names (Optional)

  1. In the security administrator role in an ADMIN_LOW workspace, open the label_encodings file for editing.

    See "To Modify the label_encodings (4) File", if needed.

  2. Find the lines in the LOCAL DEFINITIONS section that define the Default Label View.


    Default Label View Is Internal

  3. Ensure that the line that begins Default Label View is set to Internal as shown.

  4. If you are done, save and close the file.

To Specify the System-wide Viewing of Substitute Names for Administrative Labels (Optional)

  1. In the security administrator role in an ADMIN_LOW workspace, open the label_encodings file for editing.

    See "To Modify the label_encodings (4) File", if needed.

  2. Find the line in the LOCAL DEFINITIONS section that begins with Default Label View.


    Default Label View Is Internal

  3. Ensure that the default label view is set to External, as shown below:


    Default Label View Is External

  4. If you are done, save and close the file.

To Change Label Component Names Used in Label Builders (Optional)

  1. In the security administrator role in an ADMIN_LOW workspace, open the label_encodings file for editing.

    See "To Modify the label_encodings (4) File", if needed.

  2. Find the line in the LOCAL DEFINITIONS section that defines the labels components names used in label builder dialog boxes.


    Classification Name= Class;
Compartments Name= Comps;

  3. If desired, change the defaults Class, and Comps.

    The example shows the alternate names used in label_encodings.simple.


    Classification Name= Classification;
Compartments Name= Departments;

  4. If you are done, save and close the file.

To Assign a Color to a Label or Word

Note -

If no color is defined for a classification in the COLOR NAMES section of the label_encodings file, the color black is used.

  1. In the security administrator role, open the label_encodings file for editing.

    See "To Modify the label_encodings (4) File", if needed.

  2. Find the COLOR NAMES section.


    COLOR NAMES:
          label= Admin_Low;       color= #bdbdbd;    
          label= u;       color= green; 
          label= c;       color= blue;  

          label= s;       color= yellow; 
          label= ts;      color= red; 

          word= sb;       color= cyan; 
          word= cc;       color= magenta;

          label= Admin_High;      color= #636363;

  3. Optionally, define colors for individual compartment words.

    To distinguish certain compartment words irrespective of the classification with which they may be associated, assign a separate color to those words. 


    word= EMG; color= RedOrange;

  4. Optionally, define colors for sensitivity labels.

    In the example, the color assigned to NEED_TO_KNOW SYSADM is bluePurple. 


    label= NEED TO KNOW SYSADM; color= bluePurple;

  5. Make sure a color is defined for each classification.

    If a color is not defined for a classification, the background color used is black, so, make sure to define every classification.

    In the screen below, the classification REGISTERED is assigned the color red, and the NEED_TO_KNOW SYSADM classification is assigned the color blue.


    label= REGISTERED;  color= red;
label= NEED TO KNOW; color= blue;

    The three steps shown combined in the following example have the following results:

    • Any label with the word EMG always displays with the color RedOrange.

    • The label NEED_TO_KNOW SYSADM always displays with the color orange.

    • Any other label containing the NEED_TO_KNOW classification displays with the color blue (unless the label contains the word EMG).

    • Any label with the REGISTERED classification displays with the color red

    • Any label with any classification not defined displays with the color black


    word= EMG; color= RedOrange;
label= NEED TO KNOW SYSADM; color= bluePurple;
label= REGISTERED;  color= red;
label= NEED TO KNOW; color= blue;

  6. If you are done, save and close the file.