Trusted Extensions defines two types of labels:
Sensitivity labels, often referred to as labels
Clearance labels, referred to as clearances
Sensitivity labels, label ranges, and a label limit or clearance determine who can access which objects on the system. Clearance labels are assigned to users. Sensitivity labels are assigned to processes, including user processes, and to files and directories.
Some objects have a label range. These objects can be accessed at a particular label within the defined label range. A label range from ADMIN_LOW to ADMIN_HIGH allows access at all labels. The security administrator can narrow that label range. Objects with label ranges include the following:
All hosts and networks with which communications are allowed
User accounts and role accounts
Allocatable devices, such as tape drives, CD-ROM and DVD devices, and audio devices
Other devices that are not allocatable, for example, printers, workstations (which are controlled through the label range of the frame buffer), and serial lines when they are used as a login device
For procedures to manage devices, see Managing Device Allocation in Securing Systems and Attached Devices in Oracle Solaris 11.4 and the device_allocate(5) man page.
Label ranges set limits on the following:
The labels at which hosts can send and receive information.
The labels at which processes acting on behalf of users and roles can access files and directories in zones.
The labels at which users can allocate devices, thereby restricting the labels at which files can be written to storage media in these devices.
The labels at which users can send jobs to printers.
Labels are automatically assigned to email messages. Emails are only visible in an email reader at the label of the message. The label of an email is printed when the email is printed.
Labels are used to implement and control access on a system. Labels implement mandatory access control (MAC). With Trusted Extensions, both discretionary access control (DAC) checks and MAC checks must pass before access is allowed to an object. As in Oracle Solaris, DAC is based on permission bits and access control lists (ACLs). For more information, see Chapter 1, Controlling Access to Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.
MAC compares the label of a process that is running an application with the label or the label range of any object that the process tries to access. The labels implement the set of rules that enforce policy. One rule is read down-read equal. This rule applies when a process tries to access an object. The label of the process has to be greater than or equal to the label of the object, as in:
Label[Process] >= Label[Object]
On a system that is configured with Trusted Extensions, files and directories have slightly different access rules from each other and from process objects, network endpoint objects, and device objects. In addition, an object can be accessed in three different ways. A slightly different set of rules applies for each way:
The name of the file, directory, or device can be viewed.
The contents or the attributes of the file, directory, or device can be viewed.
The contents or the attributes of the file, directory, or device can be modified.
Labels and clearances consist of a single classification and zero or more compartments. The classification portion of a label indicates a relative level of protection. When a label is assigned to an object, the label's classification indicates the sensitivity of the information that is contained in the object. When a clearance is assigned to a user, the classification portion of the clearance label indicates the user's level of trust.
Trusted Extensions supports Common IP Security Option (CIPSO) labels. Each label has a classification field that allows 256 values, and a 256-bit compartments field. You cannot use 0 (zero) for a classification, so you can define a total of 255 classifications. For CIPSO labels, 240 compartment bits are available, for a total of 2240 compartment combinations. The components are illustrated in the following figure. Note that "Class" means "Classification" and "Comp" means "Compartment".
Figure 1 CIPSO Label Definition
The ADMIN_HIGH label and the ADMIN_LOW label are administrative labels. These labels define the upper bound and lower bound of all labels on a system.
Each compartment has one or more compartment bits assigned. The same compartment bit can be assigned to more than one compartment.
The textual format of a classification appears similar to the following:
CLASSIFICATIONS: name= TOP SECRET; sname= TS; value= 6;initial compartments= 4-5;
The compartment portion of a label is optional. Compartments in a label can be used to represent different kinds of groupings, such as workgroups, departments, divisions, or geographical areas. Compartments can also further identify how information will be handled.
When initial compartments are part of the classification definition, then compartments are part of that label. In the following excerpt, name indicates a compartment that can be used with the TS classification.
WORDS: name= A; compartments= 0; name= B; compartments= 1; name= CNTRY1; sname= c1; compartments= ~4; name= CNTRY2; sname= c2; compartments= ~5;
Possible labels from the preceding classifications and compartments include TS, TS A, TS B, and TS AB. A file with the TS A label would be available only to users who have the TS classification and the A compartment in their clearances. For an illustration, see Representation of the TS, TS A, TS B, and TS AB Labels.
When any type of label has a security level that is equal to or greater than the security level of a second label, the first label is said to dominate the second label. This comparison of security levels is based on classifications and compartments in the labels. The classification of the dominant label must be equal to or higher than the classification of the second label. Additionally, the dominant label must include all the compartments in the second label. Two equal labels are said to dominate each other.
By these criteria, TS A dominates TS, and TS dominates TS. The classification and compartment bits of the Top Secret (TS) label are shown in the following figure.
Figure 2 Representation of the TS, TS A, TS B, and TS AB Labels
Another kind of dominance, strict dominance, is sometimes required for access. One label strictly dominates another label when the first label has a security level that is greater than the security level of the other label. Strict dominance is dominance without equality. The classification of the first label is higher than the classification of the second label. The first label contains all the compartments in the second label. Or, if the classifications of both labels are the same, the first label contains all the compartments in the second label, in addition to one or more additional compartments.
Labels that are not in a dominance relationship are said to be disjoint. Disjoint labels are appropriate for separating departments at a company. For example, the label TS HR (Human Resources) would be disjoint from TS Sales.
Certain combinations of label components can be disqualified by rules in the label_encodings file. Combination rules implicitly define the organization's usable labels. The security administrator is responsible for specifying combination rules.
A minimum clearance and a minimum sensitivity label must be specified.
These system-wide minimum labels establish the lowest clearance and the lowest label that any regular user can have.
Initial compartments (compartment bits) can be assigned to a classification.
Initial compartment bits are always associated with the classification in a label. For more details, see Classification Name Syntax.
A minimum classification, an output minimum classification, and a maximum classification can be associated with any word.
Hierarchies among words can be defined by the bit patterns that are chosen for each word.
Required combinations of words can be specified.
Combination constraints can be specified for words.
The term accreditation range is also used for the label ranges that are assigned to user and role accounts, printers, hosts, networks, and other objects. Because rules can constrain the set of valid labels, label ranges and accreditation ranges might not include all the potential combinations of label components in a range.
The system accreditation range includes the administrative labels ADMIN_HIGH and ADMIN_LOW. The system accreditation range also includes all the well-formed labels that are constructed from the label components in the label_encodings file.
Administrative role accounts are usually the only accounts that can work at every label within the system accreditation range. An organization can also set up regular user accounts so that users can perform a task that requires an administrative label.
Figure 3 How System Accreditation Range Is Constrained by Rules
How System Accreditation Range Is Constrained by Rules (a) shows all potential combinations given the classifications, TS (TOP SECRET), S (SECRET), and C (CONFIDENTIAL), and the compartments, A and B.
How System Accreditation Range Is Constrained by Rules (b) shows a typical rule from the REQUIRED COMBINATIONS subsection of the SENSITIVITY LABELS section and its effects. The lines bracket the labels that are disqualified by the rule. Disqualified labels appear with lines through them. The REQUIRED COMBINATIONS syntax B A means that any label that has B as a compartment must also contain A. The converse is not true. Compartment A is not required to be combined with any other compartments. Because compartment B is only permitted when A is also present, the labels TS B, S B, and C B are not well-formed. Labels that are not well-formed are not in the system accreditation range.
The user accreditation range is the largest set of labels that regular users can access when using Trusted Extensions. The user accreditation range always excludes ADMIN_HIGH and ADMIN_LOW. The user accreditation range is further constrained by any rules that constrain the System Accreditation Range. In addition, the user accreditation range can be constrained by a set of rules in the ACCREDITATION RANGE section of the label_encodings file. ACCREDITATION RANGE Section of label_encodings File continues the How System Accreditation Range Is Constrained by Rules example. ACCREDITATION RANGE Section of label_encodings File shows three different types of rules in the ACCREDITATION RANGE section and their effects on the user accreditation range. The lines bracket to the well-formed labels that the particular rule permits.
Figure 4 ACCREDITATION RANGE Section of label_encodings File
As shown in the box to the right, the user accreditation range excludes ADMIN_HIGH and ADMIN_LOW. The rule for the TS classification (shown in How System Accreditation Range Is Constrained by Rules) includes all TS combinations except TS B. However, because TS B, and S B and C B, were previously overruled by the REQUIRED COMBINATIONS rule B A (as shown in How System Accreditation Range Is Constrained by Rules), TS A B, TS A, and TS are the only allowed TS combinations. As shown in ACCREDITATION RANGE Section of label_encodings File, because S A B is defined as the only valid combination for the S classification, S B is excluded again. All C combinations except C A are valid, according the rule for the C classification. However, because C B was overruled earlier, the only permitted combinations for the C classification are C A B and C.
The account label range is the range of labels that is available to a user account or role account. This range governs the labels at which the user can work when logging in to the system.
The labels that are available in the account label range have the following constraints:
The user clearance defines the upper bound of the account label range.
A clearance does not have to be a valid label. Because it must dominate all labels at which the user can work, the clearance must contain all the components of all the labels at which the user can work.
The minimum label sets the lower bound of the account label range.
The minimum sensitivity label in the label_encodings file defines an absolute minimum on labels at which any user can work.
Consider a label_encodings file that prohibits the combination of compartments A, B, and C in a label. The valid clearance in this label_encodings file is not a valid label for a user.
The minimum label would be TS with no compartments.
TS A B C would be a valid clearance. TS A B C would not be a valid label.
Valid labels for a user would be TS, TS A, TS B, and TS C.
The possible clearances and minimum labels that can be assigned to a user are shown in the following example. These labels are based on the accreditation examples from the previous sections.
Figure 5 Constraints on Account Label Ranges
In this example, TS A B is the highest label in the system accreditation range. This label contains the only two compartments, A and B, that are permitted to appear together in a label with any classification. TS A B is the clearance assigned to the account.
C is the user's minimum label. The definitions in the account label range constrain the user to work at labels TS A B, TS A, TS, S A B, C A B, or C.
The permitted clearances are TS A B, TS A, TS and S A B. A minimum clearance of S A B is set in the label_encodings file.
Even if TS A B were not a valid label, the security administrator could assign the label as a clearance. The assignment would allow the user to use any valid labels that are dominated by TS and that contain the words A and B. In contrast, if TS were assigned as the account clearance, the user could work at the labels TS and C only. TS without any compartments does not dominate S A B or C A B.
Figure 1, Table 1, Accreditation Range and Account Label Range Examples provides a more complex example. The example illustrates the differences between the possible label combinations, the system accreditation range, the user accreditation range, and some example account label ranges.
Regular users without any authorizations can work only with the labels in the User Accreditation Range column.
The fourth column shows the Account Label Range for a user with a clearance of TS A B and a minimum label of S A B. This range allows the user to work with the labels TS A B, TS A, TS, and S A B.
The fifth column shows an account with a clearance of TS and a minimum label of C. This account would be allowed to work only with TS, S, and C labels because all the other valid labels that are dominated by TS include the compartments A and B. A and B are not in the clearance.
The sixth column shows a user who is authorized to work outside the user accreditation range. This user is assigned a single label of ADMIN_LOW.
The session range is the set of labels that is available to a user account during a Trusted Extensions session. The session range is a function of the following constraints:
The label range of the user
The label that the user chose at login
The label range of the local system
The session range of a single-label account is the label of the account. Moving to a different label is possible only when a user account is configured to use multiple labels and the account label range is from ADMIN_HIGH to ADMIN_LOW. To move to a different label, the user logs in to a different zone at a different label.
The single label or session clearance that is chosen at login is in effect throughout the session until logout. During a multilabel session, the user can work at any valid label that is dominated by the session clearance and that dominates the user's minimum label.
Comparison of Session Ranges continues the Constraints on Account Label Ranges example. As shown in Constraints on Account Label Ranges, the user can specify a session clearance that uses any well-formed label between TS A B and S A B.
Comparison of Session Ranges (a) shows the labels that are available if the user selects a multilabel session with a session clearance of S A B. Because the other intermediate labels between S A B and C are not well-formed, the user can only work at S A B, C A B, or C.
Comparison of Session Ranges (b) shows the labels that are available if the user selects a single-label session with a session label of C A B. Note that C A B is below the minimum clearance. However, C A B is accessible because the user is selecting a session label, not a clearance. Because the session is single-label, the user can work at only one label. In this example, the user specified C A B, although S A B or C could have been chosen instead.
Figure 6 Comparison of Session Ranges
The following figure summarizes the progressive eliminations of available labels. The eliminated labels are shown with a line through them in the range where they are filtered out. The filtered out labels are not shown in subsequent ranges.
Figure 7 Cumulative Effect of Constraints on a Session Range
The following set of examples show session label limitations and availability based on users' session choices. These examples continue the example from Cumulative Effect of Constraints on a Session Range.Example 2 Effect of Using Default Label in Multilevel Session
At initial login, the user is assigned the lowest label in the user's account. If the lowest label is CONFIDENTIAL, the user user's first workspace is labeled CONFIDENTIAL. The user can then open workspaces at CONFIDENTIAL A B and SECRET A B, the session clearance.Example 3 Effect on Multilevel Session of User Choosing Higher Label at Initial Login
If the user chooses a higher label at initial login, such as CONFIDENTIAL A B, the user's first workspace is labeled CONFIDENTIAL A B. The user can open a higher-labeled workspace SECRET A B, but cannot open a CONFIDENTIAL workspace during that session.Example 4 Label Availability in Single-Level Session
At initial login, the user must choose a label. The available labels are within the user's label range up to the session clearance. If the clearance is SECRET A B, the labels that are available for the user to choose are CONFIDENTIAL, CONFIDENTIAL A B, SECRET A B. After choosing a label like SECRET A B, the user's first workspace is labeled SECRET A B. Because the session is single-level, the only available workspace label is SECRET A B.