Certain combinations of label components may be disqualified by rule specified by the security administrator in the label_encodings file. By defining combination rules, the security administrator implictly defines all the organization's usable labels.
A valid or well-formed label is one that satisfies any combination rules that may have been defined by the security administrator. The combination rules are defined using one of the means listed below:
Initial compartments (compartment bits) can be assigned to a classification.
Initial compartment bits are always associated with the classification when it appears in a label. For more details, see also "Adding or Renaming a Classification" for more about default words and inverse words that are assigned to initial compartment bits.
A minimum classification, output minimum classification, and maximum classification can be associated with any word.
Hierarchies among words can be defined by the bit patterns chosen for each word.
Required combinations of words can be specified.
Combination constraints can be specified for words.
A minimum clearance and a minimum sensitivity label must be specified.
These system-wide minimums establish the lowest clearance and the lowest label that any normal user can have.
Two accreditation ranges listed below are implicitly specified in the label_encodings file:
The term accreditation range is also sometimes used for the label ranges that are assigned to user and role accounts, printers, hosts, networks, and other objects. Because rules can constrain the set of valid labels, label ranges and accreditation ranges may not include all the potential combinations of label components in a range.
See the following sections: System Accreditation Range and User Accreditation Range for illustrations of how labels can be disallowed by some of the means listed in the previous list. Chapter 2, Creating or Modifying the Encodings File gives more details on how the rules are specified.