The procedures in this section install and configure a customized label policy. They include assigning labels to users and file systems. To harden this initial setup, see About Hardening Labeled File Systems.
Before You Begin
You must be the initial user or an administrator with the Software Installation rights profile. The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
# pkg install file_labeling
$ svcs labeld:clearance STATE STIME FMRI online Nov_18 svc:/system/labeld:clearance
Defining a label policy is the first step in data loss protection. Later you will assign labels to file systems, and assign selected users a clearance that is higher than the default to view sensitive files.
This procedure uses the following configuration parameters:
Encodings file = site-enc
Minimum label (Lower bound of user labels) = Public
Next higher classification = Confidential
Confidential label hierarchy = Confidential Internal Use Only, Confidential Restricted, Confidential Highly Restricted
Clearance (Upper bound of user labels) = Confidential Internal Use Only
Before You Begin
Complete a label policy assessment. To determine which labels to create, see Configuring Labels on an Oracle Solaris System.
You must be assigned the Object Label Management rights profile or be in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
If you are using the account-policy service, use the first option. For more information, see account-policy(8S) man page.
Follow the How to Set Account Locking for All Logins in Securing Users and Processes in Oracle Solaris 11.4 procedure, and substitute login_policy/clearance for the property in the procedure
# pfedit /etc/security/policy.conf ... ## Highest label at which SMF services run by default. ## For services that must run at a higher label, set a higher clearance ## on their start and restart methods. #CLEARANCE=ADMIN_HIGH CLEARANCE=ADMIN_LOW ...
You can modify the label_encodings.compliance or label_encodings.default files in the /etc/security/tsol directory or create a new encodings file. The following command creates an encodings file from scratch.
# labelcfg -e /etc/security/tsol/site-enc labelcfg:site-enc>
labelcfg:site-enc> set title="Name Label Policy"
Start with the lowest classification, which is typically the Public classification.
labelcfg:site-enc> add classification="Public" labelcfg:Public> set shortname="P" labelcfg:Public> end
Because public information is public throughout the organization, this label does not require compartments.
labelcfg:site-enc> add classification="Confidential" labelcfg:Confidential> set shortname="Conf" labelcfg:Confidential> end
Add compartments to this classification to indicate levels of confidentiality from company-internal to very restricted.
labelcfg:site-enc> add compartment="Internal Use Only" labelcfg:Internal Use Only> set minclass="Confidential" labelcfg:Internal Use Only> end
minclass indicates that this compartment cannot be used by the Public classification.
This label is higher because its compartment bits include the Internal Use Only compartment bits.
labelcfg:site-enc> add compartment="Restricted" labelcfg:Restricted> set minclass="Confidential" labelcfg:Restricted> set subcompartments="Internal Use Only" labelcfg:Restricted> end
labelcfg:site-enc> add compartment="Highly Restricted" labelcfg:Highly Restricted> set minclass="Confidential" labelcfg:Highly Restricted> set subcompartments=Restricted labelcfg:Highly Restricted> end
labelcfg:site-enc> set min_label=Public
Choose a label that is suitable for the organization, such as Public. This label is the lower bound for all processes.
labelcfg:site-enc> set clearance="Confidential Internal Use Only" labelcfg:site-enc> commit
labelcfg:site-enc> info title=Organization's Label Policy classification=Public level=1 classification=Confidential level=2 compartment=Highly Restricted bit=2 subcompartments="Restricted" minclass=Confidential compartment=Restricted bit=1 minclass=Confidential compartment=Internal Use Only bit=0 minclass=Confidential min_label=Public clearance=Confidential Internal Use Only labelcfg:site-enc> exit
The export subcommand produces output that can be used as input to the labelcfg command to create the exported label policy. In this example, the administrator saves the file to a secure directory.
# labelcfg export -f /opt/adminfiles/site-enc-export1
If you have disjoint labels to define, you can do so now. For an example, see Example - Label Encodings File With Reused Compartment Bits and the labelcfg(8) man page.
To create a labeled file system, you enable the multilevel ZFS property. This action can be performed at any time during the lifetime of a ZFS dataset.
Before You Begin
Create an encodings file. You must have logged out and logged back in. You also must be a user who can assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
$ labelcfg list list-of-labels $ labelcfg info clearance clearance $ plabel clearance
The clearance value returned by these two commands should be identical. If the values differ, you did not commit the value of clearance when you edited the encodings file or you have not logged out and logged back in.
$ su - root Password: #
# zfs set -o multilevel=on -o rpool/existing-fs # setlabel "label" /existing-fs-mountpoint
For example, to label the /export/home directory:
# zfs set -o multilevel=on -o rpool/export/home # setlabel "Conf - Internal Use Only" /export/home
# zfs create -o multilevel=on -o encryption=on rpool/labeled-fs # zfs set =/mountpoint rpool/labeled-fs # setlabel "label" /mountpoint
For example, you could label a directory that contains files for company-wide distribution.
# zfs create -o multilevel=on -o encryption=on rpool/ftp-files # zfs set =/ftpsource rpool/ftp-files # setlabel "Conf - Internal Use Only" /ftpsource
# getlabel /mountpoint label
If you do not share a labeled file system with the share.nfs.labeled=on option, the files whose labels are higher than ADMIN_LOW cannot be accessed.
# zfs share -o nfs=on -o share.nfs.labeled=on -o share.nfs.sec=krb5 rpool/labeled-fs
The value of the mlslabel property is the upper bound of the file system and cannot be lowered.
# zfs get mlslabel NAME PROPERTY VALUE SOURCE ... rpool/VARSHARE/zones mlslabel none - rpool/dump mlslabel - - rpool/export mlslabel none - rpool/export/home mlslabel Conf - Internal Use Only -
If higher-labeled files are added, the upper bound is raised to the label of the higher files. A labeled file system retains its label even if all labeled files are reset or removed.
# usermod -K clearance="higher-than-default-clearance" trusted-user1 # rolemod -K clearance="higher-than-default-clearance" trusted-role1
# usermod -K clearance=Public guest
This policy enables you to audit file-read events and set the audit flags for labeled files.
# auditconfig -setpolicy +labeled-only # auditconfig -setflags fr,fw,fm,dc,fd,ex,lo
When you enable the fr audit class when the labeled-only policy is in effect, only labeled files are audited for file read. Regular files are not.
The following script finds all files of a specified label.
#!/bin/sh # Find all files whose label matches $1 zfs list -Ho multilevel,mounted,mountpoint -t filesystem -r rpool|\ while read multilevel mounted mountpt;do if [ $multilevel == on -a $mounted == yes ];then for file in $(find $mountpt -print); do label=$(getlabel $file 2>/dev/null|cut -d: -f2|\ grep -i "$1" 2>/dev/null) if [[ -n $label ]]; then echo $file echo '\t'$label fi done fi done