The security administrator creates security policies to enforce the labeling strategy.
The security administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company. Further precautions are needed. For example, users who have REGISTERED in their clearance must be instructed to use UNIX permissions to protect their files. Permissions must be set so that only the owner can view or modify the file. The following example shows a user who is applying discretionary access control to protect the contents of a REGISTERED directory.
As the following example shows, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only. Directory permissions are set to be readable, writable, and searchable only by the owner. These permissions ensure that another user who can work at the REGISTERED label cannot read the file.Example 6-1 Using DAC to Protect Registered Information
% plabel REGISTERED % mkdir registered.dir % chmod 700 registered.dir % cd registered.dir % touch registered.file % ls -l -rwxrwxrwx registered.file % chmod 600 registered.file % ls -l -rw------- registered.file
The following table shows how printers that are available to various SecCompany departments need to be configured.
For more information, see Chapter 19, Managing Labeled Printing, in Trusted Extensions Configuration and Administration .
People who have access to restricted printers are instructed to do the following:
Protect information according to the instructions on the banner and trailer pages of printed output.
Shred jobs that do not have both a banner and a trailer page. Also, shred jobs that do not have matching job numbers on the banner and trailer pages.