An organization may not want non-administrative users to see labels or be aware of mandatory access controls. By following the steps in "To Set Up No Labels Operation", the Security Administrator role can configure what appears to be a no labels operation, so that all normal users work in an environment that is visually almost the same as working in the Solaris environment with the CDE window system.
Even if non-administrative users do not see labels, certain labels must always be present:
ADMIN_LOW
and ADMIN_HIGH
clearances and labels are always included and do not need to be defined
One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined (even though information labels are not used in Trusted Solaris 7 and later releases)
Even though Trusted Solaris 7 does not use information labels, the label_encodings file cannot pass chk_encodings(1M) unless it has information labels defined. To fulfill this software requirement, copy the words defined in the SENSITIVITY LABELS WORDS to the INFORMATION LABELS WORDS section.
You can use or modify the default example single-label file (/etc/security/tsol/label_encodings.single), copy the /etc/security/tsol/label_encodings.simple file manually from Appendix A, or create an encodings file with one classification and any number of compartments. The following example shows the settings in the ACCREDITATION RANGE: section with a single ANY_CLASS classification defined and compartments words A, B, and REL CNTRY 1 specified for all types of labels.
ACCREDITATION RANGE: classification= ANY_CLASS; only valid compartment combinations: ANY_CLASS A B REL CNTRY1 minimum clearance= ANY_CLASS A B REL CNTRY1; minimum sensitivity label= ANY_CLASS A B REL CNTRY1; minimum protect as classification= ANY_CLASS; |
Any of these ways of creating single-label operation also require supporting procedures described in "To Configure Labels Not Visible to Users".
Label components are defined by the Security Administrator role in the /etc/security/tsol/label_encodings file in the sections described here. The encodings are comprised of a VERSION specification and seven mandatory sections: CLASSIFICATIONS, INFORMATION LABELS, SENSITIVITY LABELS, CLEARANCES, CHANNELS, PRINTER BANNERS, AND ACCREDITATION RANGE, which must appear in the order given. An optional LOCAL DEFINITIONS section may follow. Mandatory means only that all the keywords must be present. Not all keywords must be defined. See the notes for each section for what must be defined and what is optional.
Table 2-2 Table Caption
For all the required sections, the keywords shown must be present, but not all of the sections must have elements defined. This means that you could have a valid label encodings file with only CLASSIFICATIONS and ACCREDITATION RANGE definitions.