Rules When Changing the Level of Security for Data

By default, regular users can perform cut-and-paste, copy-and-paste, and drag-and-drop operations on both files and selections. The source and target must be at the same label.

To change the label of files, or the label of information within files requires authorization. When users are authorized to change the security level of data, the Selection Manager application mediates the transfer.

The /usr/share/gnome/sel_config file controls file relabeling actions, and the cutting and copying of information to a different label. For more information, see sel_config File and the sel_config(4) man page.
The /usr/bin/tsoljdsselmgr application controls drag-and-drop operations between windows. As the following tables illustrate, the relabeling of a selection is more restrictive than the relabeling of a file.

The following table summarizes the rules for file relabeling. The rules cover cut-and-paste, copy-and-paste, and drag-and-drop operations.

Table 8-1 Conditions for Moving Files to a New Label

Transaction Description	Label Relationship	Owner Relationship	Required Authorization
Copy and paste, cut and paste, or drag and drop of files between File Browsers	Same label	Same UID	None
	Downgrade information	Same UID	`solaris.label.file.downgrade`
	Upgrade information	Same UID	`solaris.label.file.upgrade`
	Downgrade information	Different UIDs	`solaris.label.file.downgrade`
	Upgrade information	Different UIDs	`solaris.label.file.upgrade`

Different rules apply to selections within a window or file. Drag-and-drop of selections always requires equality of labels and ownership. Drag-and-drop between windows is mediated by the Selection Manager application, not by the sel_config file.

The rules for changing the label of selections are summarized in the following table.

Table 8-2 Conditions for Moving Selections to a New Label

Transaction Description	Label Relationship	Owner Relationship	Required Authorization
Copy and paste, or cut and paste of selections between windows	Same label	Same UID	None
	Downgrade information	Same UID	`solaris.label.win.downgrade`
	Upgrade information	Same UID	`solaris.label.win.upgrade`
	Downgrade information	Different UIDs	`solaris.label.win.downgrade`
	Upgrade information	Different UIDs	`solaris.label.win.upgrade`
Drag and drop of selections between windows	Same label	Same UID	None applicable

Trusted Extensions provides a Selection Manager to mediate label changes. This dialog box appears when an authorized user attempts to change the label of a file or selection. The user has 120 seconds to confirm the operation. To change the security level of data without this window requires the solaris.label.win.noview authorization, in addition to the relabeling authorizations. The following illustration shows a two-line selection in the window.

image:Graphic shows a two-line selection in the Selection Manager for Trusted Extensions.

By default, the Selection Manager displays whenever data is being transferred to a different label. If a selection requires several transfer decisions, the automatic reply mechanism provides a way to reply once to the several transfers. For more information, see the sel_config(4) man page and the following section.

`sel_config` File

The /usr/share/gnome/sel_config file is checked to determine the behavior of the Selection Manager when an operation would upgrade or downgrade a label.

The sel_config file defines the following:

A list of selection types to which automatic replies are given
Whether certain types of operations can be automatically confirmed
Whether a Selection Manager dialog box is displayed

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library

Rules When Changing the Level of Security for Data

sel_config File

`sel_config` File