This appendix contains a sample label_encodings file developed along with Chapter 5, Example: Planning an Organization's Labels.
The example file has the following four classifications:
PUBLIC
INTERNAL_USE_ONLY
NEED_TO_KNOW
REGISTERED
The sample file defines compartments to appear only in labels that have the NEED_TO_KNOW classification. The sample file also specifies that the default word Comps is changed to the word Departments in label-builder GUIs.
NEED_TO_KNOW compartments are:
ALL_DEPARTMENTS
EXECUTIVE_MGMNT_GROUP
SALES
FINANCE
LEGAL
MARKETING
HUMAN_RESOURCES
ENGINEERING
MANUFACTURING
SYSTEM_ADMINISTRATION
PROJECT_TEAM
The ALL_DEPARTMENTS compartment word gets turned on when all defined compartment bits are on and works as a toggle in a label builder.
PROJECT_TEAM is hierarchically below both ENGINEERING and MARKETING. The hierarchy allows someone working at NEED_TO_KNOW ENGINEERING or at NEED_TO_KNOW MARKETING to read files with the NEED_TO_KNOW PROJECT_TEAM label but not to write to files that have that label.
In this model, PUBLIC is the sensitivity label for communications with the Internet, and INTERNAL_USE_ONLY is the sensitivity label for communications within the company.
PUBLIC = INTERNET
INTERNAL_USE_ONLY = INTRANET (Company's WAN)
* @(#)label_encodings.simple 5.9 99/11/01 SMI; TSOL 2.x * * * Copyright (c) 1997 by Sun Microsystems, Inc. * All rights reserved. * * * This version of the label_encodings file encodes the Sun * proprietary/confidential labels that are required by Sun's * legal and information protection departments. The prefix * SUN PROPRIETARY/CONFIDENTIAL is omitted from the labels for * brevity. This encodings includes some example department * names that can be used for controlling access to information * across department boundaries. Commercial sites with different * requirements can copy this file and change the definitions to suit. * This example shows how to specify labels that meet an actual * site's (Sun's) legal information protection requirements for * labeling email and printer output. These labels may also * be used to enforce mandatory access control checks based on user * clearance labels and labels and sensitivity labels on files * and directories. VERSION= Sun Microsystems, Inc. Example Version - 5.9 99/11/01 CLASSIFICATIONS: name= PUBLIC; sname= PUBLIC; value= 1; name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4; name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5; name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6; INFORMATION LABELS: WORDS: name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW; name= MANUFACTURING; sname= MANUFACTURING; compartments= 18; minclass= NEED_TO_KNOW; name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW; name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW; name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW; name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW; name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW; name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW; name= EXECUTIVE_MGMNT_GROUP; sname= EMG; compartments= 11; minclass= NEED_TO_KNOW; name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW; name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW; REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS: SENSITIVITY LABELS: WORDS: name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW; name= EXECUTIVE_MGMNT_GROUP; sname= EMG; compartments= 11; minclass= NEED_TO_KNOW; name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW; name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW; name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW; name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW; name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW; name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW; name= MANUFACTURING; sname= MANUFACTURING; compartments= 18; minclass= NEED_TO_KNOW; name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW; name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW; REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS: CLEARANCES: WORDS: name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW; name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMG; compartments= 11; minclass= NEED_TO_KNOW; name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW; name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW; name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW; name= MARKETING; sname= MRKTG; compartments= 15 20; minclass= NEED_TO_KNOW; name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW; name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW; name= MANUFACTURING; sname= MANUFACTURING; compartments= 18; minclass= NEED_TO_KNOW; name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW; name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW; REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS: CHANNELS: WORDS: name= DISTRIBUTE_ONLY_TO; prefix; name= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); suffix; name= EXECUTIVE_MANAGEMENT_GROUP; prefix= DISTRIBUTE_ONLY_TO; compartments= 11; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= SALES; prefix= DISTRIBUTE_ONLY_TO; compartments= 12; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= FINANCE; prefix= DISTRIBUTE_ONLY_TO; compartments= 13; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= LEGAL; prefix= DISTRIBUTE_ONLY_TO; compartments= 14; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= MARKETING; prefix= DISTRIBUTE_ONLY_TO; compartments= 15 20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= HUMAN_RESOURCES; prefix= DISTRIBUTE_ONLY_TO; compartments= 16; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= ENGINEERING; prefix= DISTRIBUTE_ONLY_TO; compartments= 17 20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= MANUFACTURING; prefix= DISTRIBUTE_ONLY_TO; compartments= 18; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= SYSTEM_ADMINISTRATION; prefix= DISTRIBUTE_ONLY_TO; compartments= 19; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); name= PROJECT_TEAM; prefix= DISTRIBUTE_ONLY_TO; compartments= 20; suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED); PRINTER BANNERS: WORDS: name= COMPANY PROPRIETARY/CONFIDENTIAL:; prefix; name= ALL_DEPARTMENTS; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 11-20; name= EXECUTIVE_MANAGEMENT_GROUP; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 11; name= SALES; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 12; name= FINANCE; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 13; name= LEGAL; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 14; name= MARKETING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 15 20; name= HUMAN_RESOURCES; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 16; name= ENGINEERING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 17 20; name= MANUFACTURING; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 18; name= SYSTEM_ADMINISTRATION; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 19; name= PROJECT_TEAM; prefix= COMPANY PROPRIETARY/CONFIDENTIAL:; compartments= 20; ACCREDITATION RANGE: classification= PUBLIC; only valid compartment combinations: PUBLIC classification= INTERNAL_USE_ONLY; only valid compartment combinations: INTERNAL classification= NEED_TO_KNOW; all compartment combinations valid; classification= REGISTERED; only valid compartment combinations: REGISTERED minimum clearance= PUBLIC; minimum sensitivity label= PUBLIC; minimum protect as classification= PUBLIC; LOCAL DEFINITIONS: * * The names for the administrative high and low name are set to * site_high and site_low respectively by the example commands below. * * NOTE: Use of these options could lead to interoperability problems * with machines that do not have the same alternate names. * *Admin Low Name= site_low; *Admin High Name= site_high; default flags= 0x0; forced flags= 0x0; Default Label View is External; Classification Name= Classification; Compartments Name= Departments; COLOR NAMES: label= Admin_Low; color= #bdbdbd; label= PUBLIC; color= green; label= INTERNAL_USE_ONLY; color= yellow; label= NEED_TO_KNOW; color= blue; label= NEED_TO_KNOW EMG; color= #7FA9EB; label= NEED_TO_KNOW SALES; color= #87CEFF; label= NEED_TO_KNOW FINANCE; color= #00BFFF; label= NEED_TO_KNOW LEGAL; color= #7885D0; label= NEED_TO_KNOW MRKTG; color= #7A67CD; label= NEED_TO_KNOW HR; color= #7F7FFF; label= NEED_TO_KNOW ENG; color= #007FFF; label= NEED_TO_KNOW MANUFACTURING; color= #0000BF; label= NEED_TO_KNOW PROJECT_TEAM; color= #9E7FFF; label= NEED_TO_KNOW SYSADM; color= #5B85D0; label= NEED_TO_KNOW ALL; color= #4D658D; label= REGISTERED; color= red; label= Admin_High; color= #636363; ** End of local site definitions |