Oracle Solaris provides the following sample label_encodings files in the /etc/security/tsol directory. These samples can be modified to meet your site requirements.
Is installed by Trusted Extensions software as the default. This file uses commercial labels, such as Confidential: Need to Know.
Is similar to the example in Appendix A, Customized Encodings File for SecCompany.
The introduction to the appendix describes the label components in the file. Chapter 6, Example of Planning an Organization's Encodings File describes each step for creating this file.
Is the U.S. government single-level file.
Is Oracle Solaris's version of the U.S. government single-level file. The color assignments are different.
Is the U.S. government multilevel file.
Is Oracle Solaris's version of the U.S. government multilevel file. The combinations are less restricted, the minimum clearance is higher, the default user label is lower, and the colors are different.
Alternatively, you can build a label_encodings file from scratch. The syntax and structure of the label_encodings file is provided in Encodings File Syntax.
By default, the /etc/security/tsol/label_encodings is installed with the following contents:
ACCREDITATION RANGE: classification= PUB; all compartment combinations valid; classification= SBX; all compartment combinations valid; classification= CNF; all compartment combinations valid except: CNF minimum clearance= PUB; minimum sensitivity label= PUB; minimum protect as classification= PUB;
The ACCREDITATION RANGE definition restricts the user to the following label:
PUBLIC is defined as the lowest classification.
CONFIDENTIAL is defined as a higher classification.
SANDBOX is defined as the highest classification.
PUBLIC is defined as the minimum clearance.
PUBLIC is defined as the minimum sensitivity label.
PUBLIC is defined as the minimum “Protect As” classification.
The Classifications section of the default file is illustrated in the following figure.
Figure 2-2 Classifications in the Default label_encodings File
The Compartments section of the file is illustrated in the following figure.
Figure 2-3 Compartments in the Default label_encodings File
Oracle Solaris provides two government-furnished files, label_encodings.gfi.single and label_encodings.gfi.multi. The label_encodings.gfi.single file is a single-level file, and the label_encodings.gfi.multi file is a multilevel version of the single-level file. The files also differ in the settings in the ACCREDITATION RANGE section. The ACCREDITATION RANGE section describes which classifications and compartments are available to regular users.
Oracle Solaris also provides two simplified versions of these files, label_encodings.single and label_encodings.multi. The differences are described in the following sections.
The ACCREDITATION RANGE settings in the label_encodings.multi follow:
ACCREDITATION RANGE: classification= u; all compartment combinations valid; classification= c; all compartment combinations valid; classification= s; all compartment combinations valid; classification= ts; all compartment combinations valid; minimum clearance= c; minimum sensitivity label= u; minimum protect as classification= u;
The ACCREDITATION RANGE definition enables the site to use all the classifications and compartments that are defined in the label_encodings.multi file, as follows:
UNCLASSIFIED, CLASSIFIED, SECRET, and TOP SECRET are defined with all compartment combinations valid.
CLASSIFIED is defined as the minimum clearance.
UNCLASSIFIED is defined as the minimum sensitivity label.
UNCLASSIFIED is defined as the minimum protect as classification.
The ACCREDITATION RANGE settings in the label_encodings.single file follow:
ACCREDITATION RANGE: classification= s; only valid compartment combinations: s a b rel cntry1 minimum clearance= s Able Baker NATIONALITY: CNTRY1; minimum sensitivity label= s A B REL CNTRY1; minimum protect as classification= s;
The ACCREDITATION RANGE definition restricts the user to the following label:
SECRET is defined as the only classification
SECRET A B REL CNTRY1 is defined as the only valid compartment combination
SECRET ABLE BAKER NATIONALITY: CNTRY1 is defined as the minimum clearance
SECRET A B REL CNTRY1 is defined as the minimum sensitivity label
SECRET is defined as the minimum “Protect As” classification