Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Example - Label Encodings File With Reused Compartment Bits

The number of compartments that can be defined in a label encodings file is much greater than the number of compartment bits. In Oracle Solaris, the number of available compartment bits is 256, but many thousands of compartments can be created from these bits. Two compartment properties make this possible: subcompartments and conflicts.

The subcompartments property acts like an include statement in C. It specifies that the bits of an existing compartment are included in the current compartment. You can define hierarchies of subcompartments to create arbitrary levels of nesting. For example, the following labelcfg subcommands create three compartments. The Internal compartment gets bit 0, the Restricted compartment gets bits 0 and 1, and Engineering gets bits 0, 1, and 2.

 add compartment=Internal
    set bit=0
    end
 add compartment=Restricted
    set bit=1
    set subcompartments=Internal
    end
 add compartment=Engineering
    set bit=2
    set subcompartments=Restricted
    end

If you do not specify a bit value, the next available bit is used. You can use the clear bit subcommand to prevent the assignment of a unique bit value. The clear bit subcommand is useful when creating an alias for a combination of subcompartments. In this example, the All BUs compartment is an alias for all the subcompartments and its bit is cleared.

The conflicts property specifies the compartments that are mutually exclusive with the current compartment. Labels that contain conflicting compartments cannot be applied to files or clearances. The list subcommand only shows valid compartment combinations.


Tip  -  Although compartments typically have unique bit values, you can assign the same bit values to conflicting compartments because conflicting compartments cannot be combined into a valid label.

In this example, multiple business units in a corporation are each assigned one unique bit, and then share the remaining bits for their own projects or departments. The six business units are each assigned unique bits, 2 through 7, and share bits 8 and 9 because the business units are exclusive. The use of 7 bits creates over twenty-five distinct labels.

    The bit assignments are as follows:

  • 2 - Engineering (8 - Software, 9 - Hardware)

  • 3 - Operations (8 - Information Technology, 9 - Maintenance)

  • 4 - Human Resources (8 - Benefits, 9 - Personal Information)

  • 5 - Legal (8 - Patents, 9 - Compliance)

  • 6 - Finance (8 - Payroll, 9 - Accounts)

  • 7 - Mergers and Acquisitions (8 - Robots, 9 - Widgets)

This example shows the export file of this encodings file.

$ labelcfg -e corporate_encodings info
set title="Corporate Example's Information Protection Policy"
 add classification=Public
    set level=1
    end
 add classification="Confidential -"
    set level=2
    end
 add compartment=Internal
    set bit=0
    set minclass="Confidential -"
    end
 add compartment=Restricted
    set bit=1
    set subcompartments="Internal"
    end
 add compartment=Engineering
    set bit=2
    set subcompartments="Restricted"
    set prefix="Business Units:"
    end
 add compartment=Operations
    set bit=3
    set subcompartments="Restricted"
    set prefix="Business Units:"
    end
add compartment="Human Resources"
    set shortname=HR
    set bit=4
    set subcompartments="Restricted"
    set prefix="Business Units:"
    end
 add compartment=Legal
    set bit=5
    set subcompartments="Restricted"
    set prefix="Business Units:"
    end
 add compartment=Finance
    set bit=6
    set subcompartments="Restricted"
    set prefix="Business Units:"
    end
 add compartment="Mergers and Acquisitions"
    set shortname=M&A
    set bit=7
    set subcompartments="Restricted"
    set prefix="Business Units:"
    end
 add compartment="All BUs"
    clear bit
    set subcompartments="Mergers and Acquisitions,Legal,Operations,Finance,Engineering,Human Resources"
    set prefix="Business Units:"
    end
 add compartment=Software
    set bit=8
    set conflicts="All BUs"
    set subcompartments="Engineering"
    set prefix="Example Engineering:"
    end
 add compartment=Hardware
    set bit=9
    set subcompartments="Engineering"
    set conflicts="All BUs"
    set prefix="Example Engineering:"
    end
 add compartment="Information Technology"
    set shortname=IT
    set bit=8
    set subcompartments="Operations"
    set conflicts="All BUs"
    set prefix="Example Operations:"
    end
 add compartment=Maintenance
    set bit=9
    set subcompartments="Operations"
    set conflicts="All BUs"
    set prefix="Example Operations:"
    end
 add compartment=Patents
    set bit=8
    set subcompartments="Legal"
    set conflicts="All BUs"
    set prefix="Example Legal:"
    end
 add compartment=Compliance
    set bit=9
    set subcompartments="Legal"
    set conflicts="All BUs"
    set prefix="Example Legal:"
    end
 add compartment=Robots
    set bit=8
    set subcompartments="Mergers and Acquisitions"
    set conflicts="All BUs"
    set prefix="Example M&A:"
    end
 add compartment=Widgets
    set bit=9
    set subcompartments="Mergers and Acquisitions"
    set conflicts="All BUs"
    set prefix="Example M&A:"
    end
 add compartment=Benefits
    set bit=8
    set subcompartments="Human Resources"
    set conflicts="All BUs"
    set prefix="Example HR:"
    end
 add compartment="Personal Information"
    set bit=9
    set subcompartments="Human Resources"
    set conflicts="All BUs"
    set prefix="Example HR:"
    end
 add compartment=Payroll
    set bit=8
    set subcompartments="Finance"
    set conflicts="All BUs"
    set prefix="Example Finance:"
    end
 add compartment=Accounts
    set bit=9
    set subcompartments="Finance"
    set conflicts="All BUs"
    set prefix="Example Finance:"
    end
 add compartment="Highly Restricted"
    clear bit
    set subcompartments="All Bus,Hardware,Software"
    end
 select compartment="Mergers and Acquisitions"
    set conflicts="All BUs"
    end
 select compartment=Legal
    set conflicts="All BUs"
    end
 select compartment=Operations
    set conflicts="All BUs"
    end
 select compartment=Finance
    set conflicts="All BUs"
    end
 select compartment="Human Resources"
    set conflicts="All BUs"
    end
 select classification=Public
    set valid=""
    end
 select classification="Confidential -"
    set invalid=""
    end
 set min_label=Public
 set clearance="Confidential - Internal"

The resulting encodings file creates 22 compartments by using only 10 bits (0-9). The remaining 246 bits could be shared to create unique hierarchies within each business unit. This example shows the corresponding list of valid labels.

$ labelcfg -e corporate_encodings list
 "Confidential - Highly Restricted"
 "Confidential - Business Units: All BUs"
 "Confidential - Example Engineering: Software/Hardware"
 "Confidential - Example Engineering: Software"
 "Confidential - Example Engineering: Hardware"
 "Confidential - Business Units: Engineering"
 "Confidential - Example Operations: IT/Maintenance"
 "Confidential - Example Operations: IT"
 "Confidential - Example Operations: Maintenance"
 "Confidential - Business Units: Operations"
 "Confidential - Example HR: Benefits/Personal Information"
 "Confidential - Example HR: Benefits"
 "Confidential - Example HR: Personal Information"
 "Confidential - Business Units: HR"
 "Confidential - Example Legal: Patents/Compliance"
 "Confidential - Example Legal: Patents"
 "Confidential - Example Legal: Compliance"
 "Confidential - Business Units: Legal"
 "Confidential - Example Finance: Payroll/Accounts"
 "Confidential - Example Finance: Payroll"
 "Confidential - Example Finance: Accounts"
 "Confidential - Business Units: Finance"
 "Confidential - Example M&A: Robots/Widgets"
 "Confidential - Example M&A: Robots"
 "Confidential - Example M&A: Widgets"
 "Confidential - Business Units: M&A"
 "Confidential - Restricted"
 "Confidential - Internal"
 Public