JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Compartmented Mode Workstation Labeling: Encodings Format     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Structure and Syntax of Encodings File

3.  Classification Encodings

4.  Information Label Encodings

5.  Sensitivity Label, Clearance, Channels, and Printer Banner Encodings

6.  Accreditation Range and Name Information Label Encodings

7.  General Considerations for Specifying Encodings

The Minimum Information Label

The Maximum Sensitivity Label

Consistency of Word Specification among Different Types of Labels

Mandatory Access Control Considerations When Encoding Words

Encoding MAC Words

Encoding MAC-Related Words

Encoding Non-MAC-Related Words

Using Initial Compartments and Markings to Specify Inverse Compartment and Marking Bits

Using Prefixes to Specify Special Inverse Compartment and Marking Bits

Choosing Names

Specifying Aliases

Avoiding "Loops" In Required Combinations

Visibility Restrictions for Required Combinations

Relationships between Required Combinations and Combination Constraints

Restrictions on Specifying Information Label Combination Constraints

Modifying Encodings Already Used by the System

Consistency of Default Word Specification

8.  Enforcing Proper Label Adjudications

A.  Encodings Specifications Error Messages

B.  Annotated Sample Encodings

C.  CMW Labeling Software C1.0 Release Notes, 6/8/93

Glossary

Index

Mandatory Access Control Considerations When Encoding Words

Before encoding each word, the meaning of the word with respect to national policy must be determined. If national policy dictates that mandatory access control (MAC) must be performed based on the word (which is the case for compartments, subcompartments, SAPs, and SAPIs), or if a policy decision is made to treat a word as a compartment (for example, release markings on which it has been decided to perform MAC, such as REL CNTRY1 and REL CNTRY2 in Appendix B, Annotated Sample Encodings) then the word should be associated with compartment bits in the clearances and sensitivity labels sections of the encodings file, and possibly in the information label section as well. Such a word is called a MAC word. Instead, if the word does not directly enter into MAC decisions, but implies some other word that does, the word would appear only in information labels, be associated with both compartments and markings, and is called a MAC-related word. Finally, if the word has absolutely nothing to do with MAC, the word would appear only in information labels, be associated with only markings, and be called a non-MAC word.

Encoding MAC Words

As mentioned above, words on which mandatory access control must be performed must be associated with compartment bits, and must appear in the CLEARANCES: and SENSITIVITY LABELS: sections, and possibly in the CHANNELS:, PRINTER BANNERS:, and INFORMATION LABELS: sections. The word would appear in the CHANNELS: section if the word represents a handling channel. The word would appear in the PRINTER BANNERS: section if the word requires any special printer banner marking other than a handling channel caveat. The word would appear in the INFORMATION LABELS: section if it is desired that the word appear in information labels. It is conceivable that a mandatory access control word not appear in information labels, but that a codeword that implies the word could appear instead.

When encoded in the clearances:, sensitivity labels:, channels: and PRINTER BANNERS: sections, a mandatory access control word would be associated with only compartment bits. When encoded in the INFORMATION LABELS: section, the word could have associated both compartment and marking bits.

Consider the word A in Appendix B, Annotated Sample Encodings. This word, which appears with the name A in the clearances: and sensitivity labels: sections and the name (CH A) in the channels: section, is associated with compartment bit 0 being 1. Note that the word A in the information labels: section is also associated with compartment bit 0 being 1, but additionally has a marking bit associated, for a reason discussed below.

Some words that represent compartments, and would typically be expected to have only compartment bits associated, nonetheless require association with marking bits in information labels to establish a hierarchy with other information label words. In the INFORMATION LABELS: section, A has marking bit 7 associated. The purpose of marking bit 7 in the specification of A is to establish a hierarchy with A above WNINTEL (which is associated only with marking bit 7). The reason for this hierarchy is that the word WNINTEL was deemed unnecessary along with any word that directly represents or implies a compartment. The hierarchy prevents WNINTEL from appearing in a label with any such word.

Encoding MAC-Related Words

Words that are not directly used for MAC, yet imply the presence of a compartment or other MAC word, are encoded in the information labels: section using both compartment and marking bits. This situation typically occurs when there are multiple words, sometimes called codewords, associated with a compartment. In such a case, users are cleared for the compartment as a whole, not for the individual codewords. However, the presence of the codeword in an information label implies that the data is in the compartment. In such a case, the codeword must have a compartment bit associated to identify the compartment, but must additionally have one or more marking bits associated to distinguish the word as a codeword (as opposed to a MAC word) and to differentiate among the multiple codewords. An example of this case appears in Appendix B, Annotated Sample Encodings with the words alpha1, alpha2, and alpha3. All three words are associated with compartment bit 0 (and hence the compartment A), but additionally have marking bits associated. This particular pattern of marking bits determines which of the three codewords are present.

It is also possible to encode MAC-related words in the PRINTER BANNERS: section if desired. There is no such example in Appendix B, Annotated Sample Encodings.

Encoding Non-MAC-Related Words

Words having nothing to do with MAC, either directly as compartments or indirectly as codewords, are encoded in the information labels: section using only marking bits. In Appendix B, Annotated Sample Encodings, the word WNINTEL is such a word.

It is also possible to encode non-MAC-related words in the PRINTER BANNERS: section if desired. There is no such example in Appendix B, Annotated Sample Encodings.