test

Trusted Solaris Label Administration

The Hierarchy of Label View Settings

The label view is set to be either INTERNAL or EXTERNAL in three different ways that are described in this section in order of precedence, with the lowest first.

In the label_encodings File

The demonstration label_encodings(4) file has the label view set to External in the LOCAL DEFINITIONS section, as shown in Example 1-3. The term Default Label View is used because it is the default setting that applies unless it is overridden by either of the other two settings.

Example 1-3 Default Label View Setting


Default Label View is External;

When creating the site's label_encodings(4) file, the security administrator role may choose to accept the External setting or change it to Internal. For what the settings mean, see "Specifying Whether Users See Administrative Labels' Names". Also, this value may be changed by the security administrator role after the system is up and running by later editing of the label_encodings file.

Note -

As described in "Changing the Administrative Labels' Names", the security administrator role can specify alternate names for administrative labels in the label_encodings(4) file, so keep in mind that the administrative labels may have been renamed.

In the User Manager

The label view setting in a process can override the system-wide setting. A process' label view is set to be either internal, external, or sys. If sys, the process' label view is set to the setting in the label_encodings file. A process's label view gets set indirectly:

Figure 1-2 User Manager: Labels Dialog Box

Graphic

The label view is the first value stored in the labelview field in the account's entry in the /etc/security/tsol/tsoluser file, followed by either showsl or hidesl. In the example entry below, the first setting in the labelview field is internal, and therefore the label view is set to INTERNAL for the locally-created auditadmin administrative role account.

Example 1-4 Example tsoluser Entry for an Audit Administration Role Account


auditadmin:fixed:automatic:Audit Control,Audit Review,Media Restore,:none:5:
lock:internal,showsl:0x000000000000000000000000000000000000000
00000000000000000000000000000:0x7fffffffffffffffffffffffffffffffffffffffffff
ffffffffffffff:utadm:res1:res2:res3
Note -

Do not edit the tsoluser(4) file directly. Change any account's label view through the Labels dialog box in the User Manager.

How setpattr(2) Sets the PAF_LABEL_VIEW Flag for a Process

When a user or role starts a process, the tsoluser(4) file entry for the account is consulted and the process attribute flag PAF_LABEL_VIEW is set using setpattr(2), according to the label view specified in the tsoluser file entry for the account. PAF_VIEW_EXT sets the external view and a PAF_VIEW_INT sets the internal view. If the sys label view is specified in tsoluser, the PAF_VIEW_DEF is set equal to the default setting in the label_encodings(4) file.

In Programs

Programs can use library routines [described on the bltos(3) man page and in "Labels" in Trusted Solaris Developer's Guide to set or get the label view of a process.

Regardless of the value of the PAF_LABEL_VIEW flag, a library call used to translate labels from binary to text can specify that labels be translated with either an INTERNAL or EXTERNAL label view. If the VIEW_EXTERNAL or VIEW_INTERNAL flags are not specified in the call to the library routine, translation of ADMIN_LOW and ADMIN_HIGH labels is controlled by the label view process attribute flags. If the label view process attribute flag is defined as VIEW_SYS, the translation is controlled by the label view configured in the label_encodings(4) file.