This chapter describes creating and modifying a label_encodings file.
The label_encodings file contains a VERSION specification and seven mandatory sections: CLASSIFICATIONS, INFORMATION LABELS, SENSITIVITY LABELS, CLEARANCES, CHANNELS, PRINTER BANNERS, and ACCREDITATION RANGE. The sections must appear in the order given. An optional LOCAL DEFINITIONS section can follow.
In the following table, Mandatory keyword means only that the keyword must be present. Not all keywords must have definitions. The notes for each section indicate what must be defined and what is optional.
Table 3–1 Label Encodings Keywords
Section |
Notes |
---|---|
Mandatory keyword. The version specification is the single keyword VERSION=, followed by a character string that identifies this particular version of encodings. |
|
Mandatory keyword. At least one classification must be defined |
|
Mandatory keywords. Even though information labels are not used in Trusted Extensions software, you must assign one bit to an information label word for each bit that you assign to a sensitivity label word. The sensitivity label words are defined in the following section. |
|
WORDS: REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS |
Mandatory keywords. WORDS definitions are optional. If you define sensitivity label words, the same bits must be assigned to WORDS in both the INFORMATION LABELS and CLEARANCES sections. The words that are assigned to the bits do not need to be the same. |
WORDS: REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS |
Mandatory keywords. One bit must be assigned to a clearance word for any sensitivity label word that you have defined. Clearance labels can allow combinations of words that have been disallowed in the definitions for sensitivity label words. |
Mandatory keyword. |
|
Mandatory keyword. |
|
Mandatory keyword. A rule must be defined for each classification name. The minimum clearance, minimum sensitivity label, and minimum protect as classification must be defined. |
|
Optional keyword. |
For all the required sections, the keywords in the preceding table must be present, but not all of the sections must have definitions. For example, a label_encodings file with only CLASSIFICATIONS and ACCREDITATION RANGE definitions is valid.
The order in which words are configured for sensitivity labels and clearances is not enforced. However, the order is important when setting up relationships between words. By convention, the WORDS in the SENSITIVITY LABELS section are arranged in increasing order of importance.
For the effect of word order, see Specifying Channels of Chapter 4, Labeling Printer Output (Tasks). Detailed information is provided in Compartmented Mode Workstation Labeling: Encodings Format.
If a compartment word is defined for one type of label (by assigning the compartment word to one or more bits) in the label_encodings file, then the same bits must be assigned to a word in the definition of the other types of labels. While all types of labels use the same classification names, the words that are used for each type of label can be different. The words can be different even when they are encoded with the same bits and literally refer to the same thing. Clearance labels can allow combinations of words that have been disallowed in the definitions for sensitivity labels words.
The classification is the hierarchical portion of a label. Each label has one and only one classification. A site can define up to 255 classifications. An integer value from 1 to 255 can be assigned to a classification in the label_encodings file. The value 0 is reserved for the ADMIN_LOW administrative label. The value 32,767 is reserved for the ADMIN_HIGH administrative label. For an illustration, see Figure 1–2.
Classifications are defined once for clearances and for sensitivity labels in the CLASSIFICATIONS section of the label_encodings file.
A classification with a higher value dominates a classification with a lower value. The following table shows two sets of label names that are assigned the same values in different encodings files. The left column shows sample sensitivity labels from the label_encodings.example file. The middle column shows labels from the label_encodings.gfi.multi file. A label with the Registered or Top Secret classification, with a value of 6, dominates the labels that are listed in its column.
Commercial Example |
U.S. Government Example |
Value |
---|---|---|
Registered |
Top Secret |
6 |
Need to Know |
Secret |
5 |
Internal Use Only |
Confidential |
4 |
Public |
Unclassified |
1 |
The following list describes the keywords that can be defined for classifications. For examples of initial compartment definitions, see Default and Inverse Words.
Cannot contain (/) or (,) or (;). All other alphanumeric characters and white space are allowed. Users can enter either the name or the sname or the aname when specifying labels.
Required in classifications only. The short name appears in sensitivity labels in brackets.
Optional. Name that can be entered by users when a classification is needed.
The values that you assign should represent the actual hierarchy among the classifications. The values should leave room for later expansion. 0 is reserved for ADMIN_LOW. Values can start at 1 and go to 255.
Optional. Specify bit numbers for any default compartment words. Default compartment words are words that should initially appear in any label that has the associated classification.
Advanced: Specify bit numbers for any inverse words. The minimum classification should not have initial compartments.
Obsolete. Do not define.
The following example shows the top of the label_encodings.multi file.
VERSION= Trusted Solaris Multi-Label Sample Version - 5.6 05/07/27 * * WARNING: If CIPSO Tag Type 1 network labels are to be used: * * a) All CLASSIFICATIONS values must be less than or equal to 255. * b) All COMPARTMENTS bits must be less than or equal to 239. * CLASSIFICATIONS: * name= UNCLASSIFIED; sname= U; value= 1; name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 190-239; name= SECRET; sname= S; value= 5; initial compartments= 4-5 190-239; name= TOP SECRET; sname= TS; value= 6; initial compartments= 4-5 190-239; |
Each classification has the mandatory name, sname, and value fields. The CONFIDENTIAL, SECRET, and TOP SECRET classifications have initial compartments. The lowest classification, UNCLASSIFIED, has no initial compartments.
The initial compartment bit assignments of 4-5 and 190-239 signify that bits 4, 5, and 190 through 239 are turned on. These bits are set to 1 in a label with this classification.
Some of the initial compartments are later used to define default and inverse words. Some initial compartments are reserved for possible later definitions of inverse words.
The following example shows a set of classifications that have no initial compartments.
CLASSIFICATIONS: name= PUBLIC; sname= PUBLIC; value= 1; name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4; name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5; name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6; |
When a bit is defined as an initial compartment, the bit is set to 1 in every label that contains the classification. Any bit that is specified for an initial compartment can be defined later in the label_encodings file as a default word or an inverse word.
A default compartment word is a word that appears in any label that contains the classification.
An inverse compartment word is a word that appears in a label that has the associated classification when another word that you define with the inverse compartment's bit is not present.
In this example, the PUBLIC classification is assigned no initial compartments, while the WEB COMPANY classification is assigned initial compartments 4 and 5. A label that includes the PUBLIC classification has no default compartments. A label that includes the WEB COMPANY classification always has compartment bits 4 and 5 turned on.
name= PUBLIC; sname= P; value= 1; name= WEB COMPANY; sname= WEBCO; value= 4; initial compartments= 4-5 |
The following section shows how these initial compartment bits can be assigned to words.
In this example, compartment bits 4 and 5 are assigned to the word DIVISION ONLY. Each compartment bit is also associated with an inverse word. WEBC AMERICA is assigned to the inverse compartment bit ~4. WEBC WORLD is assigned to the inverse compartment bit ~5. These assignments have the following results:
A sensitivity label with the WEB COMPANY classification initially includes the word DIVISION ONLY. The label's binary representation has the compartment bits 4 and 5 turned on.
A sensitivity label with the PUBLIC classification always has compartment bits 4 and 5 turned off. The words WEBC AMERICA and WEBC WORLD are included in the label.
Because a minclass of IUO is specified for the inverse words, WEBC AMERICA and WEBC WORLD are not displayed in the PUBLIC sensitivity label. The presence of these two inverse words is understood.
SENSITIVITY LABELS: WORDS: name= DIVISION ONLY; sname= DO; minclass= WEB COMPANY; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= WEB COMPANY; compartments= ~4; name= WEBC WORLD; sname= WEBCW; minclass= WEB COMPANY; compartments= ~5; |
Compartments are optional words that can be defined to appear in labels. Compartments are called categories in some other trusted systems. Compartments are used to indicate the special handling procedures to be used for the information whose label contains the compartment and the general class of people who might have access to the information.
Compartment words are assigned to non-hierarchical bits. However, hierarchies can be established between compartment words. These hierarchies are based on rules for including bits from one compartment word in the bits that are defined for another compartment word.
Compartment words are optionally defined in the WORDS subsection for each label type. Each compartment word is assigned to one or more bits.
While all types of labels use the same classifications, the words that are used for each type of label can be different. The words can be different even when they are encoded with the same bits and literally refer to the same thing.
The following example shows the WEB COMPANY compartment word. The word is specified with a short name (sname) of WEBCO and compartment bits 40-50.
WORDS: name= WEB COMPANY; sname= WEBCO; compartments= 40-50; |
Along with its classification field, each label has a 256-bit compartment field, of which 239 are available for CIPSO labels. Each bit is assignable in zero or more compartment words. Each word can have one or more compartment bits assigned. Out of the 239 available bits, many compartment words can be created. For an example, see the compartments planner in Table 6–3.
The classification, compartments, and combination requirements affect the accreditation range. The ACCREDITATION RANGE for each classification setting should be one of the following strings:
only valid compartment combinations;
all compartment combinations valid;
all compartment combinations valid except;
Hierarchical compartments can be used to differentiate between documents that are available to everyone in a larger group, and documents that are available to subgroups only.
By defining a word that uses one bit and a second word that uses that same bit along with a second bit, you define a hierarchical relationship between the two words. The compartment word that is more general must be defined below the word that is more specific. For example, by defining a word that uses bit number 1 and another word that uses bits number 1 and 2, you give the two words a hierarchical relationship.
In this example, a Sales compartment is defined with two subcompartments, Direct Sales, and Indirect Sales. A single classification that is named WebCo is previously defined.
name= Direct_Sales; compartments= 1, 2 name= Indirect_Sales; compartments= 1, 3 name= Sales; compartments= 1 |
This definition allows the WebCo company to differentiate between documents that can be accessed by anyone in the entire sales force, documents that can be accessed only by members of the indirect sales force, and documents that can be accessed only by members of the direct sales force.
The security administrator gives the WebCo Direct_Sales clearance to employees in the direct sales organization. The WebCo Indirect_Sales clearance is given to employees in the indirect sales organization.
Documents created by anyone working at the WebCo Direct_Sales label get the same label, so the documents are only accessible to employees in the direct sales department.
Anyone in the indirect or direct sales forces can work at the WebCo Sales label because the compartment word Sales is below both the Direct_Sales and Indirect_Sales words. Creating documents at the WebCo Sales label makes the documents available to everyone in the Sales department.
If two words are specified together in the REQUIRED COMBINATIONS section, the second label is added to the label whenever the first word is used.
In this example, the definition of the Direct Sales, Indirect_Sales, and Sales serves essentially the same effect as the example in Example 3–6. The difference is that the Direct_Sales word will always have the Sales word with it
name= Direct_Sales; compartments= 2 name= Indirect_Sales; compartments= 3 name= Sales; compartments= 1 REQUIRED COMBINATIONS: Direct_Sales Sales Indirect_Sales Sales |
The safest time to modify a label_encodings file is when the first host is installed. Proceed with caution when modifying a file that is in use. For details, see the label_encodings(4) man page.
The following task map describes the tasks for modifying and installing a label_encodings file.
Task |
For Instructions |
---|---|
Create or change the label_encodings file | |
Test the label_encodings file | |
Distribute the label_encodings file | |
Debug a label_encodings file | |
Change a classification definition | |
Create default or inverse words | |
Customize a single-label file | |
Specify a label name | |
Add a LOCAL DEFINITIONS section | |
Prevent all users of a particular system from seeing labels |
How to Modify policy.conf Defaults in Oracle Solaris Trusted Extensions Administrator’s Procedures |
For sample files, see the /etc/security/tsol directory on an installed system. The files are described in Labels Files in Solaris Trusted Extensions Packages.
You can create this file before you install Trusted Extensions on your first system. On that first system, you check the file. You can also create this file on the first system that you install with Trusted Extensions. This procedure must be completed before a second computer is configured with Trusted Extensions.
On a system that is configured with Trusted Extensions, you must be in the global zone in the Security Administrator role. On other systems, you can create and edit the file in any editor.
Create a backup copy of the original file.
Open a new or existing version of the file.
On a system that is not configured with Trusted Extensions, use any editor to create the file.
On a system that is configured with Trusted Extensions, use the Edit Encodings action to create the file.
In CDE, the Trusted_Extensions folder in the Application Manager contains two actions for the encodings file.
Edits and checks the syntax of the specified label_encodings file.
Checks the syntax of a specified label_encodings file.
Modify the file.
For details, see How to Plan the Encodings File.
Continue with How to Analyze and Verify the label_encodings File.
You must be in the global zone in the Security Administrator role.
Check the syntax and relationships of the labels.
In a terminal, use the chk_encodings -a command to analyze and report on label relationships.
$ chk_encodings -a encodings-file |
Verify the file.
The Check Encodings action runs the chk_encodings command on the specified file.
If the file passes, install it.
Do you want to install this label_encodings file? yes |
If the file does not pass, see How to Debug a label_encodings File for assistance.
Test the encodings file.
Where possible, test the file on a few systems before approving the file for all systems at your site.
Create a master copy.
For copying instructions, see How to Copy Files to Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Save a labeled copy of the file in a protected location.
Create a master copy.
For copying instructions, see How to Copy Files to Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
Immediately after installing a system with Trusted Extensions, copy the master file onto the system.
For copying instructions, see How to Copy Files From Portable Media in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.
You must be in the Security Administrator role in the global zone.
Edit the label_encodings file.
Use the Edit Encodings action. For details, see How to Create a label_encodings File.
Specify a version number.
In the VERSION= section put your site's name, a title for the file, a version number and the date.
VERSION= Sun Microsystems, Inc. Example Version - 5.10 04/05/28 |
Trusted Extensions uses SCCS keywords for the version number and the date. For details, see the sccs(1) man page.
VERSION= Sun Microsystems, Inc. Example Version - %I% %E% |
Specify the classification.
In the CLASSIFICATIONS section, supply the long name, short name, and numeric value for the new classification.
name= NEW_CLASS; sname= N; value= 2; |
Include the new classification in the accreditation range.
Add the new classification to the ACCREDITATION RANGE section.
The following example shows three new classifications added to the ACCREDITATION RANGE section. Each classification is specified with all compartment combinations valid.
ACCREDITATION RANGE: classification= UNCLASSIFIED; all compartment combinations valid; * i is new in this file classification= INTERNAL_USE_ONLY; all compartment combinations valid; * n is new in this file classification= NEED_TO_KNOW; all compartment combinations valid; classification= CONFIDENTIAL; all compartment combinations valid except: c c a c b classification= SECRET; only valid compartment combinations: . . . * r is new in this file classification= REGISTERED; all compartment combinations valid; |
Adjust the ACCREDITATION RANGE section if necessary.
You might need to make the new classification a minimum classification.
minimum clearance= u; minimum sensitivity label= u; minimum protect as classification= u; |
Make sure that you set a minimum clearance that is dominated by all the clearances that you plan to assign to users. Similarly, make sure that the minimum sensitivity label is dominated by all the minimum labels that you plan to assign to users.
Save your changes.
You must be in the Security Administrator role in the global zone.
Edit the label_encodings file.
Use the Edit Encodings action. For details, see How to Create a label_encodings File.
Specify initial compartments.
In the CLASSIFICATIONS section, specify compartments as part of the classification definition.
CLASSIFICATIONS: name= PUBLIC; sname= P; value= 1; name= WEB COMPANY; sname= WEBCO; value= 2; initial compartments= 4-5 ; |
Specify a default word.
Assign an initial compartment bit to the word.
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= 4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= 5; |
Specify an inverse word.
Inverse words are created by preceding an initial compartment with a tilde (~).
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= ~4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= ~5; |
Save your changes.
For any compartment bits that are not reserved for later assignment, you need to assign a word to the bit in the following sections:
SENSITIVITY LABELS: WORDS:
INFORMATION LABELS: WORDS:
COMPARTMENTS: WORDS:
Certain labels must always be present in a label_encodings file:
One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined
You must be in the Security Administrator role in the global zone.
Edit an encodings file.
Use the Edit Encodings action. For details, see How to Create a label_encodings File. Provide a name that is different from the installed label_encodings file.
Create an encodings file with only one classification and only the desired compartments.
For example, you could set up an encodings file with the INTERNAL_USE_ONLY classification, and specify no words.
VERSION= Single-Label Encodings . . . CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; INFORMATION LABELS: WORDS: SENSITIVITY LABELS: WORDS: CLEARANCES: WORDS: CHANNELS: WORDS: PRINTER BANNERS: WORDS: |
In the ACCREDITATION RANGE section, include only one classification and one valid compartment combination.
The following example encodes the INTERNAL classification.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL; |
Encode the LOCAL DEFINITIONS section.
For details, see Chapter 5, Customizing LOCAL DEFINITIONS.
Ensure that the file is syntactically correct.
If the file does not pass chk_encodings, see How to Debug a label_encodings File
Otherwise, continue with How to Analyze and Verify the label_encodings File.
The following example shows the settings in the ACCREDITATION RANGE: section. A single ANY_CLASS classification is defined. Compartments words A, B, and REL CNTRY 1 are specified for all types of labels.
ACCREDITATION RANGE: classification= ANY_CLASS; only valid compartment combinations: ANY_CLASS A B REL CNTRY1 minimum clearance= ANY_CLASS A B REL CNTRY1; minimum sensitivity label= ANY_CLASS A B REL CNTRY1; minimum protect as classification= ANY_CLASS; |
In this example, the label_encodings.example file is changed to handle a single-label company. The name= value is changed from SECRET to INTERNAL_USE_ONLY. The sname= value is changed from s to INTERNAL. Neither the value= nor the initial compartments= definition is changed.
CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; initial compartments= 4-5 190-239; |
In the ACCREDITATION RANGE section, the short name of the classification is replaced. Also, the minimums are replaced with the new sname.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL; |
You must be in the Security Administrator role in the global zone. You must have an encodings file that does not have a LOCAL DEFINITIONS section.
Add the LOCAL DEFINITIONS section to your file.
Append the section from a Trusted Extensions-supplied label_encodings file. Trusted Extensions-supplied files are in the /etc/security/tsol directory.
Customize the extensions for your site.
For details, see Modifying Sun Extensions (Task Map).
You must be in the Security Administrator role in the global zone.
Edit the label_encodings file.
Use the Edit Encodings action. For details, see How to Create a label_encodings File.
Check the entries in the INFORMATION LABELS: WORDS: section.
The entries must exactly match the entries in the SENSITIVITY LABELS: WORDS: section.
Encode the sensitivity label words, then copy the words to the INFORMATION LABELS section.
Check that no label in the user accreditation range has a value of 0 with no compartment bits.
This step ensures that no label is indistinguishable from the label ADMIN_HIGH.
Check that no label in the user accreditation range has a value of 255 with all compartment bits from 0 to 239.
This step ensures that no label is indistinguishable from the label ADMIN_HIGH.
Check that no compartment has a value higher than 239.
This step ensures that all labels can be mapped to CIPSO labels.
For labels that cannot be resolved, do the following: