Labels and clearances consist of a single classification and zero or more compartments. The classification portion of a label indicates a relative level of protection. When a label is assigned to an object, the label's classification indicates the sensitivity of the information that is contained in the object. When a clearance is assigned to a user, the classification portion of the clearance label indicates the user's level of trust.
Trusted Extensions supports Common IP Security Option (CIPSO) labels. Each label has a classification field that allows 256 values, and a 256-bit compartments field. You cannot use 0 (zero) for a classification, so you can define a total of 255 classifications. For CIPSO labels, 240 compartment bits are available, for a total of 2240 compartment combinations. The components are illustrated in the following figure. Note that “Class” means “Classification” and “Comp” means “Compartment”.
Figure 1-2 CIPSO Label Definition
The ADMIN_HIGH label and the ADMIN_LOW label are administrative labels. These labels define the upper bound and lower bound of all labels on a system.
Each compartment has one or more compartment bits assigned. The same compartment bit can be assigned to more than one compartment.
The textual format of a classification appears similar to the following:
CLASSIFICATIONS: name= TOP SECRET; sname= TS; value= 6;initial compartments= 4-5;
The compartment portion of a label is optional. Compartments in a label can be used to represent different kinds of groupings, such as workgroups, departments, divisions, or geographical areas. Compartments can also further identify how information will be handled.
When initial compartments are part of the classification definition, then compartments are part of that label. In the following excerpt, name indicates a compartment that can be used with the TS classification.
WORDS: name= A; compartments= 0; name= B; compartments= 1; name= CNTRY1; sname= c1; compartments= ~4; name= CNTRY2; sname= c2; compartments= ~5;
Possible labels from the preceding classifications and compartments include TS, TS A, TS B, and TS AB. A file with the TS A label would be available only to users who have the TS classification and the A compartment in their clearances. For an illustration, see Figure 1–3.