As the administrator, you are responsible for assigning the appropriate clearance to users who need access to labeled files. Only users whose clearance is at least equal to the label on the files can view or modify labeled files. All users receive a clearance through the label encodings file. To give them access to sensitive files, you can directly authorize users to have a higher clearance, or you can assign to authorized users a rights profile that contains commands that run at a high clearance. You can also assign to users a role whose rights profiles run commands at a high clearance.
This procedure shows how to assign a high clearance to users directly, through a rights profile, or through an assigned role.
Before You Begin
You must be assigned the User Management rights profile or be in the root role. For more information, see Using Your Assigned Administrative Rights.
$ labelcfg list label-list-from-highest-to-lowest-label
# usermod -K clearance=label username
# rolemod -K clearance=label rolename
You can also assign a clearance to users indirectly through a rights profile.
The commands must have sufficient privilege in addition to the higher clearance. Sufficient privilege might include a UID or EUID whose clearance is sufficient for the command to run, or a privilege that the command requires.
The Labeled Audit Review rights profile in the following examples is from How to Create a Labeled Audit Trail in Securing Files and Verifying File Integrity in Oracle Solaris 11.4. You can assign this rights profile directly to the user or to a role that the user assumes.
# usermod -K profiles+="Labeled Audit Review" username # usermod -K auth_profiles+="Labeled Audit Review" username
# rolemod -K profiles+="Labeled Audit Review" rolename # rolemod -K auth_profiles+="Labeled Audit Review" rolename
# usermod -R +rolename username
After assigning clearances to users, you verify that the configuration enables users with clearances to access files at their clearance, and that users without clearances cannot view or back up the files, or view the audit trail of those files.
# su - cleared-user cleared-user$ plabel user's explicit clearance
$ cd labeled-dataset
To test a labeled dataset in a zone, see How to Isolate a Labeled File System in a Zone in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.
For example:
List the files in the directory.
Add files to the directory and view the label of the files.
Remove files from the directory.
Modify a file in the directory.
Change to a directory at a different label that is within the user's clearance.
Send files to a similarly labeled file system.
Change to a different user and try to send the original user's files to an unlabeled file system.
This test should fail.
If the audit trail is in a labeled file system, you must have clearance to read ADMIN_HIGH files. See How to Create a Labeled Audit Trail in Securing Files and Verifying File Integrity in Oracle Solaris 11.4. In the following example, a user who is assigned the Labeled Audit Review rights profile executes the command.
$ pfexec /usr/demo/tsol/auditfiles.ksh audit-html-file