Account Label Range Examples
The possible clearances and minimum labels that can be assigned to an account are shown in the following figure. These labels are based on the accreditation examples from the previous sections.
Figure 1–6 Constraints on Account Label Ranges
In this example, TS A B is the highest label in the user accreditation range. This label contains the only two compartments, A and B, that are permitted to appear together in a label with any classification. The account range that is illustrated on the left is bounded at the top by TS A B. TS A B is the clearance assigned to the account. C is the account's minimum label. These definitions constrain the account to work at labels TS A B, TS A, TS, S A B, C A B, or C. The permitted clearances are TS A B, TS A, TS and S A B. A minimum clearance of S A B is set in the label_encodings file.
Even if TS A B was not a valid label, the security administrator could assign the label as a clearance. The assignment would allow the account to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS was assigned as the account clearance, the user could work at the labels TS and C only. TS without any compartments does not dominate S A B or C A B.
Table 1–1 Accreditation Range and Account Label Range Examples|
|
Accreditation Range |
Account Label Range |
|||
|---|---|---|---|---|---|
|
Possible Labels |
System |
User |
TS A B Clearance, S A B Min Label |
TS Clearance, C Min Label |
ADMIN_LOW Clearance and Min Label, solaris.label.range Authorization |
|
ADMIN_HIGH |
ADMIN_HIGH |
|
|
|
|
|
TS A B |
TS A B |
|
TS A B |
|
|
|
TS A |
TS A |
TS A |
TS A |
|
|
|
TS |
TS |
TS |
TS |
TS |
|
|
S A B |
S A B |
S A B |
S A B |
|
|
|
S A |
|
|
|
|
|
|
S |
|
|
|
S |
|
|
C A B |
C A B |
|
|
|
|
|
C A |
C A |
|
|
|
|
|
C |
C |
C |
|
C |
|
|
ADMIN_LOW |
ADMIN_LOW |
|
|
|
ADMIN_LOW |
Table 1–1 illustrates the differences between the potential label combinations, the system accreditation range, the user accreditation range, and some sample account label ranges.
-
Ordinary users without any authorizations can work only with the labels in the User Accreditation Range column.
-
The fourth column shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B. This range allows the user to work with the labels TS A B, TS A, TS, and S A B.
-
The fifth column of Table 1–1 shows an account with a clearance of TS and a minimum label of C. This account would be allowed to work only with TS, S, and C labels, because all the other valid labels that are dominated by TS include the words A and B. A and B are not in the clearance.
-
A sixth column shows a user who is authorized to work outside the user accreditation range. This user is assigned a single label of ADMIN_LOW.
- © 2010, Oracle Corporation and/or its affiliates