The account label range is the range of labels available to an individual user or role account. It governs which labels are available for the user to work at when logging into the system. (See "Setting the Session Level" in Chapter 2, "Accessing and Leaving the Trusted Solaris Environment," in the Trusted Solaris User's Guide and "Session Range" of this chapter.)
The labels available in the account label range are constrained by:
The user accreditation range--an unauthorized user cannot use any labels that have been disqualified for the user accreditation range in the label-encodings file.
The top and bottom of the range can be set by security administrator role who defines security attributes for the account using the SMC User Accounts tool. If no values are set for the account, a DEFAULT USER SENSITIVITY LABEL and the DEFAULT USER CLEARANCE values in the optional LOCAL DEFINITIONS section of the label_encodings file are used, if they are defined. Otherwise, the minimum sensitivity label and minimum clearance set in the ACCREDITATION RANGE section of the label_encodings file are used. The values for each account are stored in the user_attr(4)database:
The user clearance defines the top of the account label range.
A clearance does not have to be a valid label. Because it must dominate all labels at which the account is to work, the clearance must contain all the components of all the labels at which the account is to work.
The minimum label sets the bottom of the account label range.
The minimum sensitivity label set in the label_encodings file defines an absolute minimum on labels at which any unauthorized users can work.
The SMC User Accounts Properties dialog allows the setting of an account's minimum label to below the label_encodings-defined minimum, if the account has also been assigned a profile with the Set Label Outside User Accred Range
authorization.
For example, the install user can log in at ADMIN_LOW because that user account has the Outside Accred
profile, with the e Set Label OUtside User Accred Range
authorization.