Two default administrative labels are always defined.
ADMIN_LOW
is the lowest label in the system with a classification value of 0 and no compartments or markings.
The ADMIN_LOW
label is dominated by every other label.
ADMIN_HIGH
is the highest label in the system with the classification value of 32767.
As the highest label in the system, the ADMIN_HIGH
label and the ADMIN_HIGH
clearance have all 256 compartment bits set to 1. The ADMIN_HIGH
label dominates all other labels.
System files and commonly-available executables are assigned an ADMIN_LOW
label. According to the WURD (write up read down) MAC rule, anyone working at any label can read files at ADMIN_LOW, unless the files' DAC permissions deny read access to the account
attempting the reading. Files that contain data that should not be viewed by normal users, such as system log files, the label_encodings and vfstab_adjunct files are maintained at ADMIN_HIGH
. To allow administrators access
to protected system files, the ADMIN_LOW
and ADMIN_HIGH
administrative labels are assigned as the minimum label and clearance for the default roles. The following sections of this manual describe issues about administrative
labels that the security administrator needs to consider.
The site's security administrator role can choose to do the following:
Specify alternate names for administrative labels (not recommended)
Because this is not recommended, this manual does not describe how to do it.
Prevent normal users from seeing the names of administrative labels by substituting names of the lowest and highest labels in the user accreditation range.
See "Specifying Whether Users See Administrative Labels' Names".
Prevent normal users from seeing any labels.
The option to set a label view allows the security administrator role to determine whether the names for administrative labels are displayed
to non-administrative users. If the label view is set to external, another label is substituted: ADMIN_HIGH
is demoted to the maximum label and ADMIN_LOW
is promoted to the minimum label within the user accreditation
range.
Some reasons a site might hide the names of administrative labels are:
The site assigns each user a single label to work at and chooses not to train users about administrative labels.
The site's security policy treats the names of administrative labels as classified information.
The label view is set to be either INTERNAL or EXTERNAL in several different ways that are listed in order of precedence, with the lowest first.
If not otherwise overridden, the system-wide label view is EXTERNAL.
An optional system-wide setting can be made in the label_encodings(4) file
The default label_encodings(4) file has the label view set to External in the LOCAL DEFINITIONS section. If the optional definition is not round in the file, the default system-wide setting of EXTERNAL is used.
The User Accounts and Administrative Roles Tools can set an individual value for any user or role account
The Security Administrator role can make an individual setting in the Trusted Solaris Attributes tab that is found in both the User Accounts and Administrative Roles Properties dialogs. The values are stored in the user_attr(4) file entry for the user or role account.
Do not edit the user_attr file directly. Change any account's labels views using the SMC tools.
The View: choices are External | Internal | System Default
If the System Default is chosen, the Default Label View is value in the optional LOCAL DEFINITIONS section of the label_encodings file applies.
Programs can use library routines to manipulate the label view of the process running the program.
The label view setting in a process can override the system-wide setting. A process's label view is set to be either internal, external, or sys. If sys, the process's label view is whatever is set in the label_encodings file, and if no value is set in the file, then the default of External is used.
A process's label view gets set indirectly through the following:
From the user_attr entry for the owner of the process
When a user or role starts a process, the user_attr file entry for the account is consulted and the process attribute flag PAF_LABEL_VIEW
is set using setpattr(2), according to the label view specified in the for the account. PAF_VIEW_EXT
sets the external view and a PAF_VIEW_INT
sets the internal
view. If the sys label view is specified, the PAF_VIEW_DEF
is set equal to the optional setting in the label_encodings(4) file, or the default of EXTERNAL that applies if the option is not set.
From within a program using library routines
Programs can use library routines [described on the bltos(3TSOL) man page and under "Labels" in Trusted Solaris Developer's Guide] to set or get the label view of a process.
Regardless of the value of the PAF_LABEL_VIEW
flag, a library call used to translate labels from binary form to text can specify that labels be translated with either an INTERNAL or EXTERNAL label view. If the VIEW_EXTERNAL or VIEW_INTERNAL flags are not specified in the call to the library routine, translation of ADMIN_LOW and ADMIN_HIGH labels is controlled by the label view process attribute flags. If the label view process attribute flag
is defined as VIEW_SYS, the translation is controlled by the label view option configured in the label_encodings(4)
file or by the default system-wide value of EXTERNAL if the option is not specified.
The system-wide default is to show labels. The default setting for all accounts in the policy.conf(4) file is show labels. The Security Administrator can change the policy.conf entry to hide labels. The Security Administrator can also override the policy.conf setting for individuals accounts by choosing Hide from the Labels: menu on the Trusted Solaris Attributes tab of the User Accounts and Administrative Roles tools.
See "User Attributes and Defaults in policy.conf" and "Precedence Relationships for Attributes" in Trusted Solaris Administrator's Procedures for more details.