How to Debug a label_encodings File

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Edit the label_encodings file.

   Use the Edit Encodings action. For details, see How to Create a label_encodings File.

2. Check the entries in the INFORMATION LABELS: WORDS: section.

   The entries must exactly match the entries in the SENSITIVITY LABELS: WORDS: section.

   ---

   Tip –

   Encode the sensitivity label words, then copy the words to the INFORMATION LABELS section.

   ---

3. Check that no label in the user accreditation range has a value of 0 with no compartment bits.

   This step ensures that no label is indistinguishable from the label ADMIN_HIGH.

4. Check that no label in the user accreditation range has a value of 255 with all compartment bits from 0 to 239.

   This step ensures that no label is indistinguishable from the label ADMIN_HIGH.

5. Check that no compartment has a value higher than 239.

   This step ensures that all labels can be mapped to CIPSO labels.

6. For labels that cannot be resolved, do the following:

   1. Reset any objects with the new labels to a low system label, ADMIN_LOW.

   2. Restore a known, usable label_encodings file from the backup.

   3. Use the chk_encodings -a command to analyze the label problems in the faulty file.