Labels and clearances are at the center of mandatory access control (MAC) in Trusted Extensions. They determine which users can access which programs, files, and directories. Labels and clearances consist of one classification component and zero or more compartment components. The classification component indicates a hierarchical level of security such as TOP SECRET to SECRET to PUBLIC. The compartment component represents a group of users who might need access to a common body of information. Some typical types of compartments are projects, departments, or physical locations. Labels are readable by authorized users, but internally, labels are manipulated as numbers. The numbers and their readable versions are defined in the label_encodings file.
Trusted Extensions mediates all attempted security-related transactions. The software compares the labels of the accessing entity, typically a process, and the entity being accessed, usually a filesystem object. The software then permits or disallows the transaction depending on which label is dominant. Labels are also used to determine access to other system resources, such as allocatable devices, networks, frame buffers, and other systems.
One entity's label is said to dominate another label if the following two conditions are met:
The classification component of the first entity's label is equal to or higher than the second entity's classification. The security administrator assigns numbers to classifications in the label_encodings file. The software compares these numbers to determine dominance.
Two labels are said to be equal if they have the same classification and the same set of compartments. If the labels are equal, they dominate each other and access is permitted.
If one label has a higher classification or if it has the same classification and its compartments are a superset of the second label's compartments, or both, the first label is said to strictly dominate the second label.
Two labels are said to be disjoint or noncomparable if neither label dominates the other label.
The following table presents examples of label comparisons for dominance. In the example, NEED_TO_KNOW is a higher classification than INTERNAL. There are three compartments: Eng, Mkt, and Fin.
Trusted Extensions provides two special administrative labels that are used as labels or clearances: ADMIN_HIGH and ADMIN_LOW. These labels are used to protect system resources and are intended for administrators rather than regular users.
ADMIN_HIGH is the highest label. ADMIN_HIGH dominates all other labels in the system and is used to protect system data, such as administration databases or audit trails, from being read. You must be in the global zone to read data that is labeled ADMIN_HIGH.
ADMIN_LOW is the lowest label. ADMIN_LOW is dominated by all other labels in a system, including labels for regular users. Mandatory access control does not permit users to write data to files with labels lower than the user's label. Thus, a file at the label ADMIN_LOW can be read by regular users, but cannot be modified. ADMIN_LOW is typically used to protect public executables that are shared, such as files in /usr/bin.
All label components for a system, that is, classifications, compartments, and the associated rules, are stored in an ADMIN_HIGH file, the label_encodings file. The original file is located in the /etc/security/tsol directory. After Trusted Extensions is enabled, the location of the file is stored as a property of the labeld service. The security administrator configures the label_encodings file for the site. A label encodings file contains:
For more information, see the label_encodings(4) man page. Detailed information can also be found in Trusted Extensions Label Administration and Compartmented Mode Workstation Labeling: Encodings Format .
A label range is the set of potentially usable labels at which users can operate. Both users and resources have label ranges. Resources that can be protected by label ranges include such things as allocatable devices, networks, interfaces, frame buffers, and commands. A label range is defined by a clearance at the top of the range and a minimum label at the bottom.
A range does not necessarily include all combinations of labels that fall between a maximum and minimum label. Rules in the label_encodings file can disqualify certain combinations. A label must be well-formed, that is, permitted by all applicable rules in the label encodings file, in order to be included in a range.
However, a clearance does not have to be well-formed. Suppose, for example, that a label_encodings file prohibits any combination of compartments Eng, Mkt, and Fin in a label. INTERNAL Eng Mkt Fin would be a valid clearance but not a valid label. As a clearance, this combination would let a user access files that are labeled INTERNAL Eng, INTERNAL Mkt, and INTERNAL Fin.
When you assign a clearance and a minimum label to a user, you define the upper and lower boundaries of the account label range in which that user is permitted to operate. The following equation describes the account label range, using ≤ to indicate “dominated by or the same as”:
minimum-label ≤ permitted-label ≤ clearance
Thus, the user is permitted to operate at any label that is dominated by the clearance as long as that label dominates the minimum label. When a user's clearance or minimum label is not expressly set, the defaults that are defined in the label_encodings file take effect.
Users can be assigned a clearance and a minimum label that enable them to operate at more than one label, or at a single label. When a user's clearance and minimum label are equal, the user can operate at only one label.
The session range is the set of labels that is available to a user during a Trusted Extensions session. The session range must be within the user's account label range and the label range set for the system. At login, if the user selects single-label session mode, the session range is limited to that label. If the user selects multilabel session mode, then the label that the user selects becomes the session clearance. The session clearance defines the upper boundary of the session range. The user's minimum label defines the lower bound. The user begins the session in a workspace at the minimum label. During the session, the user can switch to a workspace at any label within the session range.
Labels appear on the desktop and on output that is executed on the desktop, such as printouts.
Applications – Applications start processes. These processes run at the label of the workspace where the application is started. An application in a labeled zone, as a file, is labeled at the label of the zone.
Devices – Data flowing through devices is controlled through device allocation and device label ranges. To use a device, users must be within the label range of the device, and be authorized to allocate the device.
File system mount points – Every mount point has a label. The label is viewable by using the getlabel command.
IPsec and IKE – IPsec security associations and IKE rules have labels.
Network interfaces – IP addresses (hosts) are assigned security templates that describe their label range. Unlabeled hosts are also assigned a default label by the communicating Trusted Extensions system.
Printers and printing – Printers have label ranges. Labels are printed on body pages. Labels, handling information, and other security information is printed on the banner and trailer pages. To configure printing in Trusted Extensions, see Chapter 19, Managing Labeled Printing and Labels on Printed Output in Trusted Extensions Label Administration .
Processes – Processes are labeled. Processes run at the label of the workspace where the process originates. The label of a process is visible by using the plabel command.
Users – Users are assigned a default label and a label range. The label of the user's workspace indicates the label of the user's processes.
Windows – Labels are visible at the top of desktop windows. The label of the desktop is also indicated by color. The color appears on the workspace panel and above window title bars, as shown in Figure 6–1.
When a window is moved to a differently labeled workspace, the window maintains its original label. Processes that are initiated in that window execute at the original label.
Zones – Every zone has a label. The files and directories that are owned by a zone are at the zone's label. For more information, see the getzonepath(1) man page.