Planning the Encodings File
The following practices help achieve the good organization required for a correct label_encodings(4) file that may be extended safely later.
Note -
For CLASSIFICATIONS and, COMPARTMENTS, the security administrator role can later change human readable names but cannot change the values without potentially serious complications.
Leave room to add items.
Plan ahead for extending the file later, which may save you from needing to create a whole new file if additions are needed. For example, you could number classifications in increments of 10 to allow intermediate classifications to be added if the need arises. For the same reason, consider spacing compartment bit numbers for possible later additions.
If your site uses inverse compartments and markings, plan to reserve some initial compartment and marking bits for later definition.
If you need to learn more about inverse compartments and markings see the DIA document, Compartmented Mode Workstation Labeling: Encodings Format. See also "Setting Default and Inverse Words".
Determine classifications for the site.
As described under Table 1-2, the total number of classification values that you can use is 254. Do not use classification 0.
Whatever names you give the human-readable names associated with each classification, the system treats a classification whose value is 10 as more security sensitive than a classification whose value is 2.
Different names can not be specified with the same classification value. Each classification must be higher or lower than one or more others because all labels must dominate or be dominated by some other label. Assigning the same number to more than one name would create levels of security that are named differently but are treated as the same level by the system. No two labels can evaluate to the same level.
The following table can be used for planning classifications. An asterisk (*) is used where the item is optional.
Table 1-5 Classifications Planner|
name= |
sname=/*aname= |
value= |
*initial compartments= bit numbers/WORD |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Decide on compartments.
Decide how data and programs are grouped and whether or not any data or programs can be intermixed. For example, perhaps weather data should not be seen by programs dealing with personnel files, but weather data should be accessible to programs that deal with targeting problems.
At this point, keep people out of the picture. Think in terms of what, not who.
Design the names.
CLASSIFICATIONS and WORDS in the label_encodings(4) file have two forms: a mandatory long name and an optional short name. Short names can be entered interchangeably with long names when labels are being specified. Long names and short names display in the label dialog boxes.
Arrange the relationships.
Compartments and markings are intrinsically non-hierarchical, even though they can be configured to have hierarchical relationships. They represent bits (or flags) attached to objects or subjects in the environment. The combination of those bits determines the accessibility of a subject or object. Before setting up relationships, read very carefully the example section of Compartmented Mode Workstation Labeling: Encodings Format several times, walking through the examples.
One way to make this step easier is to use a large board and pieces of paper marked with your classifications, compartments and markings, as shown in Figure 1-8. With this method, you can visualize the relationships and rearrange the pieces until they all fit together.
Note -
When the command, chk_encodings(1M), is used to check label encodings files for errors, it checks syntax only. With the -a option chk_encodings can be used to analyze and report on relationships between labels.
Figure 1-8 Example Planning Board for Label Relationships
Decide which clearances will be available to which users.
Use the following table, if desired, for planning clearances.
Table 1-6 Clearance Planner|
CLASS |
COMP |
COMP |
COMP |
COMP |
COMP |
OOMP |
Notes |
|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Arrange the labels that will be formed from the classifications and compartments in order of increasing sensitivity.
Associate the definitions for each word with an internal format of integers, bit patterns, and logical relationship statements.
Decide what colors should be associated with labels.
The following table can be used to keep track of compartment bit assignments.
Table 1-7 Compartment Bit Tracking Table|
|
|
|
|
|
|
|
|
|
|
| ||||||
- © 2010, Oracle Corporation and/or its affiliates