Certain combinations of label components can be disqualified by rules in the label_encodings file. Combination rules implicitly define the organization's usable labels. The security administrator is responsible for specifying combination rules.
A valid or well-formed label is a label that satisfies a combination rule. The security administrator defines combination rules by using one of the following means:
Initial compartments (compartment bits) can be assigned to a classification.
Initial compartment bits are always associated with the classification in a label. For more details, see Classification Name Syntax.
A minimum classification, an output minimum classification, and a maximum classification can be associated with any word.
Hierarchies among words can be defined by the bit patterns that are chosen for each word.
Required combinations of words can be specified.
Combination constraints can be specified for words.
A minimum clearance and a minimum sensitivity label must be specified.
These system-wide minimums establish the lowest clearance and the lowest label that any ordinary user can have.
Two accreditation ranges are implicitly specified in the label_encodings file:
The term accreditation range is also used for the label ranges that are assigned to user and role accounts, printers, hosts, networks, and other objects. Because rules can constrain the set of valid labels, label ranges and accreditation ranges might not include all the potential combinations of label components in a range.