|Skip Navigation Links|
|Exit Print View|
|Compartmented Mode Workstation Labeling: Encodings Format Oracle Solaris 11.1 Information Library|
Before encoding each word, the meaning of the word with respect to national policy must be determined. If national policy dictates that mandatory access control (MAC) must be performed based on the word (which is the case for compartments, subcompartments, SAPs, and SAPIs), or if a policy decision is made to treat a word as a compartment (for example, release markings on which it has been decided to perform MAC, such as REL CNTRY1 and REL CNTRY2 in Appendix B, Annotated Sample Encodings) then the word should be associated with compartment bits in the clearances and sensitivity labels sections of the encodings file, and possibly in the information label section as well. Such a word is called a MAC word. Instead, if the word does not directly enter into MAC decisions, but implies some other word that does, the word would appear only in information labels, be associated with both compartments and markings, and is called a MAC-related word. Finally, if the word has absolutely nothing to do with MAC, the word would appear only in information labels, be associated with only markings, and be called a non-MAC word.
As mentioned above, words on which mandatory access control must be performed must be associated with compartment bits, and must appear in the CLEARANCES: and SENSITIVITY LABELS: sections, and possibly in the CHANNELS:, PRINTER BANNERS:, and INFORMATION LABELS: sections. The word would appear in the CHANNELS: section if the word represents a handling channel. The word would appear in the PRINTER BANNERS: section if the word requires any special printer banner marking other than a handling channel caveat. The word would appear in the INFORMATION LABELS: section if it is desired that the word appear in information labels. It is conceivable that a mandatory access control word not appear in information labels, but that a codeword that implies the word could appear instead.
When encoded in the clearances:, sensitivity labels:, channels: and PRINTER BANNERS: sections, a mandatory access control word would be associated with only compartment bits. When encoded in the INFORMATION LABELS: section, the word could have associated both compartment and marking bits.
Consider the word A in Appendix B, Annotated Sample Encodings. This word, which appears with the name A in the clearances: and sensitivity labels: sections and the name (CH A) in the channels: section, is associated with compartment bit 0 being 1. Note that the word A in the information labels: section is also associated with compartment bit 0 being 1, but additionally has a marking bit associated, for a reason discussed below.
Some words that represent compartments, and would typically be expected to have only compartment bits associated, nonetheless require association with marking bits in information labels to establish a hierarchy with other information label words. In the INFORMATION LABELS: section, A has marking bit 7 associated. The purpose of marking bit 7 in the specification of A is to establish a hierarchy with A above WNINTEL (which is associated only with marking bit 7). The reason for this hierarchy is that the word WNINTEL was deemed unnecessary along with any word that directly represents or implies a compartment. The hierarchy prevents WNINTEL from appearing in a label with any such word.
Words that are not directly used for MAC, yet imply the presence of a compartment or other MAC word, are encoded in the information labels: section using both compartment and marking bits. This situation typically occurs when there are multiple words, sometimes called codewords, associated with a compartment. In such a case, users are cleared for the compartment as a whole, not for the individual codewords. However, the presence of the codeword in an information label implies that the data is in the compartment. In such a case, the codeword must have a compartment bit associated to identify the compartment, but must additionally have one or more marking bits associated to distinguish the word as a codeword (as opposed to a MAC word) and to differentiate among the multiple codewords. An example of this case appears in Appendix B, Annotated Sample Encodings with the words alpha1, alpha2, and alpha3. All three words are associated with compartment bit 0 (and hence the compartment A), but additionally have marking bits associated. This particular pattern of marking bits determines which of the three codewords are present.
It is also possible to encode MAC-related words in the PRINTER BANNERS: section if desired. There is no such example in Appendix B, Annotated Sample Encodings.
Words having nothing to do with MAC, either directly as compartments or indirectly as codewords, are encoded in the information labels: section using only marking bits. In Appendix B, Annotated Sample Encodings, the word WNINTEL is such a word.
It is also possible to encode non-MAC-related words in the PRINTER BANNERS: section if desired. There is no such example in Appendix B, Annotated Sample Encodings.