Trusted Extensions installs sample files in the /etc/security/tsol directory. These samples can be modified to your site requirements.
Is installed by Solaris Trusted Extensions software.
Is similar to the example in Appendix A, Sample Label Encodings File.
The introduction to the appendix describes the label components in the file. Chapter 6, Example: Planning an Organization's Labels describes each step in creating this file.
Is the U.S. Government single-level file.
Is Sun's version of the U.S. Government single-level file. The color assignments are different.
Is the U.S. Government multilevel file.
Is Sun's version of the U.S. Government multilevel file. The combinations are less restricted, the minimum clearance is higher, the default user label is lower, and the colors are different.
Alternatively, you can build a label_encodings file from scratch. The syntax and structure of the label_encodings file is provided in Encodings File Syntax.
By default, the label_encodings.simple file is installed as /etc/security/tsol/label_encodings:
ACCREDITATION RANGE: classification= public; only valid compartment combinations: public minimum clearance= needtoknow; minimum sensitivity label= public; minimum protect as classification= public; |
The ACCREDITATION RANGE definition restricts the user to the following label:
PUBLIC is defined as the only classification
PUBLIC is defined as the only valid compartment combination
NEEDTOKNOW is defined as the minimum clearance
PUBLIC is defined as the minimum sensitivity label
PUBLIC is defined as the minimum protect as classification
The Classifications section is illustrated in the following figure.
The compartments in the file are illustrated in the following figure.
There are two government-furnished files, label_encodings.single and label_encodings.multi. The label_encodings.single file is single-level, and the label_encodings.multi is a multilevel version of the single-level file. The files also differ in the settings in the ACCREDITATION RANGE section. The ACCREDITATION RANGE section describes which classifications and compartments are available to ordinary users.
The ACCREDITATION RANGE settings in the label_encodings.multi file are shown in the following excerpt:
ACCREDITATION RANGE: classification= u; all compartment combinations valid; classification= c; all compartment combinations valid; classification= s; all compartment combinations valid; classification= ts; all compartment combinations valid; minimum clearance= c; minimum sensitivity label= u; minimum protect as classification= u; |
The ACCREDITATION RANGE definitions enable the site to use all the classifications and compartment words that are defined in the label_encodings.multi file:
UNCLASSIFIED, CLASSIFIED, SECRET, and TOP SECRET are defined with all compartment combinations valid
CLASSIFIED is defined as the minimum clearance
UNCLASSIFIED is defined as the minimum sensitivity label
UNCLASSIFIED is defined as the minimum protect as classification
The ACCREDITATION RANGE settings in the label_encodings.single file are shown in the following excerpt:
ACCREDITATION RANGE: classification= s; only valid compartment combinations: s a b rel cntry1 minimum clearance= s Able Baker NATIONALITY: CNTRY1; minimum sensitivity label= s A B REL CNTRY1; minimum protect as classification= s; |
The ACCREDITATION RANGE definition restricts the user to the following label:
SECRET is defined as the only classification
SECRET A B REL CNTRY1 is defined as the only valid compartment combination
SECRET ABLE BAKER NATIONALITY: CNTRY1 is defined as the minimum clearance
SECRET A B REL CNTRY1 is defined as the minimum sensitivity label
SECRET is defined as the minimum protect as classification