Rules for Protecting a File or Directory Labeled with the REGISTERED Sensitivity Label
The Security Administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company unless certain additional precautions are taken. Therefore, those who have REGISTERED in their clearance must be instructed to use UNIX permissions, so that only the creator can look at or modify the file. See the following example.
Example 5-1 Using DAC to Protect Registered Information
trusted% getplabel R trusted% mkdir registered.dir trusted% chmod 700 registered.dir trusted% cd registered.dir trusted% touch registered.file trusted% ls -l -rwxrwxrwx registered.file trusted% chmod 600 registered.file trusted% ls -l -rw------- registered.file |
As shown in the example, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only and to set the directory's permissions to be readable, writable, and searchable only by the owner. This ensures that another user who can work at REGISTERED cannot read the file.
- © 2010, Oracle Corporation and/or its affiliates