Trusted Solaris Label Administration

Running Without Labels

An organization may not want non-administrative users to see labels or be aware of mandatory access controls. By following the steps in "To Set Up No Labels Operation", the Security Administrator role can configure what appears to be a no labels operation, so that all normal users work in an environment that is visually almost the same as working in the Solaris environment with the CDE window system.

Even if non-administrative users do not see labels, certain labels must always be present:

ADMIN_LOW and ADMIN_HIGH clearances and labels are always included and do not need to be defined
One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined (even though information labels are not used in Trusted Solaris 7 and later releases)

Note -

Even though Trusted Solaris 7 does not use information labels, the label_encodings file cannot pass chk_encodings(1M) unless it has information labels defined. To fulfill this software requirement, copy the words defined in the SENSITIVITY LABELS WORDS to the INFORMATION LABELS WORDS section.

Setting Up Single-label Operation

You can use or modify the default example single-label file (/etc/security/tsol/label_encodings.single), copy the /etc/security/tsol/label_encodings.simple file manually from Appendix A, or create an encodings file with one classification and any number of compartments. The following example shows the settings in the ACCREDITATION RANGE: section with a single ANY_CLASS classification defined and compartments words A, B, and REL CNTRY 1 specified for all types of labels.

ACCREDITATION RANGE:

classification= ANY_CLASS;      only valid compartment combinations:

ANY_CLASS A B REL CNTRY1

minimum clearance= ANY_CLASS A B REL CNTRY1;
minimum sensitivity label= ANY_CLASS A B REL CNTRY1;
minimum protect as classification= ANY_CLASS;

Any of these ways of creating single-label operation also require supporting procedures described in "To Configure Labels Not Visible to Users".

Sections for Defining Labels

Label components are defined by the Security Administrator role in the /etc/security/tsol/label_encodings file in the sections described here. The encodings are comprised of a VERSION specification and seven mandatory sections: CLASSIFICATIONS, INFORMATION LABELS, SENSITIVITY LABELS, CLEARANCES, CHANNELS, PRINTER BANNERS, AND ACCREDITATION RANGE, which must appear in the order given. An optional LOCAL DEFINITIONS section may follow. Mandatory means only that all the keywords must be present. Not all keywords must be defined. See the notes for each section for what must be defined and what is optional.

Table 2-2 Table Caption


Section	Notes
VERSION=	Mandatory keyword must be present. The version specification is the single keyword VERSION=, followed by a character string that identifies this particular version of encodings. An example is: VERSION= DISTRIBUTED DEMO VERSION
CLASSIFICATIONS:	Mandatory keyword must be present. At least one classification must be defined
INFORMATION LABELS: WORDS: REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS	Mandatory keywords must be present. Even though information labels are not used in Trusted Solaris, you must assign one bit to an INFORMATION LABEL WORD for each bit you assign to a SENSITIVITY LABEL WORD that you may define in the following section. Hint: Encode the SENSITIVITY LABELS WORDS first and then copy them to the INFORMATION LABELS section.
SENSITIVITY LABELS:WORDS: REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS	Mandatory keywords must be present. WORDS definitions are optional. If you define SENSITIVITY LABELS WORDS, the same bits must be assigned to WORDS in both the INFORMATION LABELS and CLEARANCES section, even though the words assigned to the bits do not need to be the same.
CLEARANCES:WORDS: REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS	Mandatory keywords must be present. One bit must be assigned to a CLEARANCE WORD for any SENSITIVITY LABEL WORD you define. Clearance labels may allow combinations of words that have been disallowed in the definitions for sensitivity labels words.
CHANNELS:	Mandatory keyword must be present
PRINTER BANNERS:	Mandatory keyword must be present
ACCREDITATION RANGE:	Mandatory keyword must be present. A rule must be defined for each CLASSIFICATION name; the minimum clearance, minimum senstivity label, and minimum protect as classification must be defined.
LOCAL DEFINITIONS:	Optional.

For all the required sections, the keywords shown must be present, but not all of the sections must have elements defined. This means that you could have a valid label encodings file with only CLASSIFICATIONS and ACCREDITATION RANGE definitions.