Trusted Solaris Label Administration

Sensitivity Labels (SLs): Uses and Format

The sensitivity label of a file or directory is a fixed security label. A newly-created file or directory is assigned the sensitivity label of the process that creates it, which is usually the sensitivity label of the workspace where the process is started. The sensitivity label stays the same unless explicit action is taken by:

The object's owner

An administrator or another user who has the needed authorization

The authorizations to change a label are described in "Authorizations for Upgrading and Downgrading SLs".

Sensitivity Label Components

Each sensitivity label is made up of a classification and zero or more compartments, as shown in the following table.

Table 1-5 Components of a Sensitivity Label


Classification	Compartments
name	[word1, word2, ..., word`N`]

The example in the following table shows that one sensitivity label consists only of the classification INTERNAL_USE_ONLY with no compartments, while another sensitivity label is made up of a NEED_TO_KNOW classification and the compartments ENGINEERING and SALES.

Table 1-6 Components of Example Sensitivity Labels


Classification	Compartments
INTERNAL_USE_ONLY	none
NEED_TO_KNOW	ENGINEERING, SALES

Sensitivity Label Internal Representation

Along with its classification field, each sensitivity label has a 256 bit field available for compartments, as shown in Table 1-7. Labels contain zero or more compartments. Each compartment word has 1 or more compartment bits assigned. The same compartment bit may be assigned to more than one word.

Table 1-7 Bits and Values for Classification and Compartment Components


Classification	Compartments
15 bits 32,767 possible values 256 values limit enforced	256 bits possible compartment and bit combinations: 10 to the 70 power

Authorizations for Upgrading and Downgrading SLs

A sensitivity label can only be changed by a user or an administrator who has the appropriate authorization in one of his or her profiles. The authorization to change a sensitivity label to one that dominates it is called the upgrade file sensitivity label authorization. The authorization to change a sensitivity label to one that it dominates is called the downgrade file sensitivity label authorization. See also auth_desc(4).

Restricting Users to a Single Label

If a system is configured to run with only a single sensitivity label, all non-administrative user accounts on that system are restricted to work at that single sensitivity label. In such systems, the clearance for every user's account would necessarily be set to be equal to the account's minimum sensitivity label.

In systems running with multiple sensitivity labels, any account may be restricted to work at a single sensitivity label if the security administrator role sets the account's clearance equal to its minimum sensitivity label.

When the security administrator role has configured an account with a account label range that includes multiple sensitivity labels, the user can voluntarily restrict a working session to a single sensitivity label, which is explained in the next section.

Specifying the Session Clearance

Directly after a user logs in and starts a session on a Trusted Solaris host, if the account is set up to use multiple labels, the user can specify which sensitivity labels are available during the session by doing one of the following:

Restrict the session to a single sensitivity label

Set the session clearance to be the same as the user's own clearance

Set a session clearance lower than the user's own clearance

The selected single label or session clearance is in effect throughout the session, from login until logout. During a session, the user may work at any sensitivity label that is dominated by the session clearance and that dominates the user's minimum label. The sensitivity label must be a valid label defined in the label_encodings(4) file, as described in "Valid Labels".

Labeled Workspaces

The Trusted Solaris windowing system is a labels-aware version of the CDE window system. CDE workspaces play an important part in making it possible for users to work at multiple sensitivity labels during a single session.

When the employee logs in for the first time, the first workspace that comes up is assigned the employee's minimum sensitivity label. (Buttons for three additional workspaces are created at the same minimum sensitivity label in the workspace switch portion of the Front Panel.) The employee can bring up additional workspaces and change the sensitivity labels on any workspaces, but he or she cannot set the sensitivity label on a workspace to be higher than the current session clearance--which constrains the user from working at any sensitivity label higher than the session clearance. The sensitivity label of the workspace is assigned to each new window that is created in that workspace.

Any user allowed a multilevel session may relabel any of the workspaces. Any user may specify which workspaces and applications are launched at future logins by means of the Startup dialog box in the Style Manager available on the Front Panel. Because the first workspace that comes up after second and subsequent logins may be specified by the user, the sensitivity label of the first workspace that comes up after any login after the initial login can be at any sensitivity label the user chooses (within the account's label range).