The account label range is the range of labels that is available to a user account or role account. This range governs the labels at which the user can work when logging in to the system.
The labels that are available in the account label range have the following constraints:
The user clearance defines the upper bound of the account label range.
A clearance does not have to be a valid label. Because it must dominate all labels at which the user can work, the clearance must contain all the components of all the labels at which the user can work.
The minimum label sets the lower bound of the account label range.
The minimum sensitivity label in the label_encodings file defines an absolute minimum on labels at which any user can work.
Consider a label_encodings file that prohibits the combination of compartments A, B, and C in a label. The valid clearance in this label_encodings file is not a valid label for a user.
The minimum label would be TS with no compartments.
TS A B C would be a valid clearance. TS A B C would not be a valid label.
Valid labels for a user would be TS, TS A, TS B, and TS C.