test

Trusted Solaris Label Administration

Introduction to Clearances, Minimum Labels, and Account Label Ranges

A clearance label and a minimum label are assigned to each user and role account. These labels are assigned by the security administrator role when configuring the security aspects of the account, using the Labels dialog box in the User Manager. The clearance establishes the upper bound of the set of labels at which the account can work, while the minimum label establishes the lower bound. Clearance labels are defined in the CLEARANCES section of the label_encodings. See also "More About Clearance Labels".

Account Label Range

The set of labels at which a user or role can work at any time is referred to as the account label range. The upper bound of the account label range is the account's clearance, and the lower bound is the account's minimum label. Users who are allowed only to work at a single label have a clearance that equals their minimum label. See "Accreditation Range Examples" for how the account clearance is selected from the total set of labels available to all users on the system.

Two Types of Clearance

There are two types of clearance: the account clearance assigned when the account is created, and the session clearance. When an employee logs into the system, he or she specifies a session clearance that is in effect for the time between login and logout. The session clearance must be within the account's clearance. (See the following section below and "Specifying the Session Clearance" for more about the session clearance.)

Session Clearance

The session clearance is provided to allow an account that is set up to work with multiple labels to voluntarily restrict the range of labels available during a particular session. The session clearance default is the account's clearance. A lower clearance may be chosen.

The session clearance establishes the upper limit on the range of labels at which processes can be run on the behalf of the normal user during a session. The minimum label is always the lower bound on the labels at which an account can work during a session.