Trusted Extensions Label Administration

Exit Print View

Updated: July 2014

Planning for Supporting Procedures

The security administrator creates security policies to enforce the labeling strategy.

Rules for Protecting a REGISTERED File or Directory

The security administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company. Further precautions are needed. For example, users who have REGISTERED in their clearance must be instructed to use UNIX permissions to protect their files. Permissions must be set so that only the owner can view or modify the file. The following example shows a user who is applying discretionary access control to protect the contents of a REGISTERED directory.

As the following example shows, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only. Directory permissions are set to be readable, writable, and searchable only by the owner. These permissions ensure that another user who can work at the REGISTERED label cannot read the file.

Example 6-1  Using DAC to Protect Registered Information
% plabel
% mkdir registered.dir
% chmod 700 registered.dir
% cd registered.dir
% touch registered.file
% ls -l
-rwxrwxrwx registered.file
% chmod 600 registered.file
% ls -l
-rw------- registered.file

Rules for Configuring Printers

The following table shows how printers that are available to various SecCompany departments need to be configured.

Table 6-1  Label Ranges on SecCompany Printers at Various Locations
Printer Location
Type of Access
Label Range
Lobby or public meeting room
Internal company printer room
Available to all people who have signed nondisclosure agreements
Restricted area for one group
Members of a group specified in the NEED_TO_KNOW group-name compartment
NEED_TO_KNOW group-name only
Strictly controlled area
Available only to people who have the REGISTERED classification in their clearance

For more information, see Chapter 19, Managing Labeled Printing, in Trusted Extensions Configuration and Administration .

Rules for Handling Printer Output

    People who have access to restricted printers are instructed to do the following:

  • Protect information according to the instructions on the banner and trailer pages of printed output.

  • Shred jobs that do not have both a banner and a trailer page. Also, shred jobs that do not have matching job numbers on the banner and trailer pages.