JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Compartmented Mode Workstation Labeling: Encodings Format     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Structure and Syntax of Encodings File

3.  Classification Encodings

4.  Information Label Encodings

5.  Sensitivity Label, Clearance, Channels, and Printer Banner Encodings

6.  Accreditation Range and Name Information Label Encodings

7.  General Considerations for Specifying Encodings

The Minimum Information Label

The Maximum Sensitivity Label

Consistency of Word Specification among Different Types of Labels

Mandatory Access Control Considerations When Encoding Words

Encoding MAC Words

Encoding MAC-Related Words

Encoding Non-MAC-Related Words

Using Initial Compartments and Markings to Specify Inverse Compartment and Marking Bits

Using Prefixes to Specify Special Inverse Compartment and Marking Bits

Choosing Names

Specifying Aliases

Avoiding "Loops" In Required Combinations

Visibility Restrictions for Required Combinations

Relationships between Required Combinations and Combination Constraints

Restrictions on Specifying Information Label Combination Constraints

Modifying Encodings Already Used by the System

Consistency of Default Word Specification

8.  Enforcing Proper Label Adjudications

A.  Encodings Specifications Error Messages

B.  Annotated Sample Encodings

C.  CMW Labeling Software C1.0 Release Notes, 6/8/93

Glossary

Index

Consistency of Word Specification among Different Types of Labels

Many words must be specified as being components of all three types of labels: information labels, sensitivity labels, and clearances. In fact, in most cases, words that appear in sensitivity labels also appear in clearances and information labels.

(Sometimes the word may have a different name or prefix in a clearance, but has the same meaning as the sensitivity label word because it is associated with the same compartment bits. See Chapter 5, Sensitivity Label, Clearance, Channels, and Printer Banner Encodings for a discussion of why a clearance word might have a different prefix than an otherwise equivalent sensitivity label word. Also, sometimes the word may have a different name in an information label, but has the same meaning as the sensitivity label word because it is associated with the same compartment bits. In other cases, the word may not appear in an information label, but one or more other words that specify the same compartment bit pattern do appear.)

When the same word appears in multiple types of labels, extreme care must be taken to ensure that the words are specified as consistently as possible in each label. In particular, the words should have the same minclass, maxclass, and the same required combinations and combination constraints with respect to combinations with words that also appear in multiple labels. Any inconsistencies may have undesired results.

For example, consider a system that facilitates downgrading the sensitivity label of an object by setting it equal to the classification and compartments of the object's information label. Consider also the encodings in Example 7-1. With these encodings, CONFIDENTIAL A would be a valid information label, and SECRET A B would be a valid sensitivity label, both for the same object. However, if the system's “downgrade sensitivity label to information label classification and compartments” function is performed, the sensitivity label would become CONFIDENTIAL A. Such a sensitivity label is invalid for two reasons: 1) the word A in a sensitivity label has a minimum classification of SECRET, and 2) the word A requires the word B in a sensitivity label. Consistently encoding the word A for both information and sensitivity labels would have avoided this problem.

Example 7-1 Inconsistent encodings example

CLASSIFICATIONS: 
        NAME= CONFIDENTIAL;   SNAME= C; VALUE= 4;
        NAME= SECRET; SNAME= C; VALUE= 5; 

INFORMATION LABELS:
        WORDS:
            NAME= A;   COMPARTMENTS= 2;  MINCLASS= C;
            NAME= B;   COMPARTMENTS= 3;  MINCLASS= C;
        REQUIRED COMBINATIONS: COMBINATION CONSTRAINTS  

SENSITIVITY LABELS:
        WORDS:
        NAME= A;   COMPARTMENTS= 2;  MINCLASS= S;
        NAME= B;   COMPARTMENTS= 3;  MINCLASS= C;
        REQUIRED COMBINATIONS: A  B
        COMBINATION CONSTRAINTS