labelcfg - create and modify label encodings
labelcfg [-e encoding_file] [-f command_file] [subcommand]...
labelcfg help
Labels are used to implement hierarchical and disjoint mandatory access policies. The labelcfg utility specifies the relationships between labels by assigning attributes to their components known as classifications and compartments. Each label consists of a single classification and an optional set of compartments. Together these relationships are referred to as the label encodings.
Classifications are ordered by assigning integer values known as levels. By default labelcfg assigns the next available level when a new classification is added, so it is recommended that classifications are added starting at the lowest level. However, levels can also be assigned explicitly and classifications can be subsequently reordered.
Compartments are initially unordered. Hierarchies can be specified by naming other compartments as subcompartments. Disjoint relationships can be specified by naming other compartments as conflicts.
Compartments can also be assigned as subcompartments of classifications. In that case, specifying the classification implicitly includes its subcompartments.
These policy constraints restrict how classifications and compartments can be combined to form valid labels. However, the constraints must not preclude the formation of a valid label that dominates all the other valid labels. The labelcfg utility validates user inputs to prevent creating an invalid encodings file.
If the encodings file does not exist, then a new empty file is created from the file label_encodings_template. At least one classification must be added before it can be saved.
Property values can be simple strings, or comma-separated lists of simple strings. Simple strings containing white space must be double quoted. An equal sign (=) is required between the property and its values.
The following properties apply to the entire encodings:
An arbitrary title which is stored as a comment in the labeling encodings file.
The default minimum label for users. When Trusted Extensions is not enabled, this property specifies the lowest label to which authorized users may downgrade their files. In this case, the value ADMIN_LOW is recommended.
The default clearance for users. Unless Trusted Extensions is enabled, the value ADMIN_HIGH disables enforcement of the labeling policy for all users unless they have been explicitly assigned a clearance.
Used to add a new classification or to select or remove an existing classification.
Used to add a new compartment or to select or remove an existing compartment.
The following properties apply to the currently selected classification:
The required full name for a classification. Names may consist of multiple words in which case double quotes are required.
An optional short name for a classification. Names may consist of multiple words in which case double quotes are required.
An integer representing the sensitivity of a classification level. The lowest value is 1. The highest value in the default template is 100. The level is set automatically to the next available value when a classification is created.
The name of the classification that is immediately above the current classification. This property is set automatically, but can be used to reorder the current classification.
The name of the classification that is immediately lower than the current classification. This property is set automatically, but can be used to reorder the current classification.
An optional list of compartments that are included by the current classification.
An optional list consisting of sets of compartment combinations that can be used together with the current classification when assigning labels to users.
An optional list consisting of sets of compartment combinations that cannot be used together with the current classification when assigning labels to users. An asterisk (*) specifies that all labels with the current classification are invalid.
Setting either the valid or invalid property clears the other property.
The following properties apply to the currently selected compartment:
The required full name for a compartment. Names may consist of multiple words in which case double quotes are required.
The optional full name for a compartment. Names may consist of multiple words in which case double quotes are required.
An optional phrase that can be associated with the compartment. It will be printed before the compartment when a label including that compartment is displayed.
An optional phrase that can be associated with the compartment. It will be printed after the compartment when a label including that compartment is displayed.
An optional list of compartments that are included by the current compartment.
An optional list of compartments that are mutually exclusive with the current compartment.
The name of the lowest classification with which the current compartment can be combined.
The name of the highest classification with which the current compartment can be combined.
Compartments consist of one or more bits in the range of 0 to 255. The bit property specifies the unique bit number that is assigned to the current compartment exclusive of any of its subcompartments. It is set automatically when a compartment is created. Compartments which include multiple subcompartments might not need a unique bit, in which case, it can be cleared.
Subcommands can be provided in a command file using the –f option, or interactively. Multiple subcommands, separated by semicolons can be specified on the command line by enclosing the entire set in quotation marks. The lack of subcommands implies an interactive session, during which auto-completion of subcommands and values can be invoked by using the TAB key.
The add and select subcommands can be used to specify a classification or compartment, at which point the context changes to that item. During an interactive session, the context is identified in the prompt by the name of the selected item. The end and cancel subcommands are used to complete the specification, at which time the context is reverted to the encodings context.
The property-value can be a simple value, or a list of simple values for those properties which accept lists. The following subcommands are supported:
Begins the specification for a new classification. The context is changed to accept classification properties.
Begins the specification for a new compartment. The context is changed to accept compartment properties.
Adds the specified values to the current classification or compartment. This subcommand can only be applied to the properties that accept lists: subcompartments, conflicts, valid, and invalid.
Ends the specification and resets context to the encodings context. Abandons any partially specified resources. cancel is only applicable in the classification and compartment contexts.
Clears the value(s) for the property.
Commits the current configuration from memory to the file specified through the –e option. The configuration must be committed for the changes to take effect. The commit operation is attempted automatically upon completion of a labelcfg session. Since a configuration must be correct to be committed, this operation does and automatic verification.
After successfully saving the configuration, if the user has the solaris.smf.manage.labels authorization and the pathname starts with /etc/security/tsol/, then the labeld/label_encodings property in the svc:/system/labeld service is updated and the service instance is restarted.
Ends the classification or compartment specification.
Exits the labelcfg session. If there are uncommitted changes, the user is prompted whether to commit the changes before exiting. You can also use an EOF character to exit labelcfg. The –F option can be used to force the action.
Prints the configuration to standard output or to the output file specified by the –f option. This command produces output in a form suitable for subsequent use as an input command file that can be specified on the command line.
Prints general help or help about specific topic.
Lists all the valid labels that are available using the current encodings.
Displays information about the encodings, the currently selected classification or compartment, or the specified property.
Removes the specified classification from the encodings. This subcommand is only valid in the encodings context.
Removes the specified compartment from the encodings. This subcommand is only valid in the encodings context.
Selects the classification to be edited. Either the name or shortname properties can be specified. This subcommand is applicable only in the encodings context.
Selects the compartment to be edited. Either the name or shortname properties can be specified. This subcommand is applicable only in the encodings context.
Sets a given property name to the given value. Any existing values for that property are replaced by the new values. Use the add subcommand to append additional values instead of replacing the current values.
Verifies the current configuration for correctness.
The following options are supported:
Specifies the encodings file to edit. If the file does not exist, it is created and initialized from the template file /etc/security/tsol/label_encodings.template. If the file is not writable, the session operates in read-only mode.
If this option is omitted, the default file specified by the SMF property labeld/encodings_file is used. By default the FMRI is svc:/system/labeld:clearance. However, when Trusted Extensions is enabled, the init instance of this service is used, so the corresponding FMRI is svc:/system/labeld:init.
Specifies an optional command file to use as input. Command files can be generated using the –f option of the export subcommand. When a command file is specified, no other input is accepted. Typically the file specified using –e should be empty. Otherwise it may conflict with the subcommands in the command file.
# labelcfg -e simple "add classification=Confidential;end"Example 2 Creating an Encodings File for Compliance
# labelcfg -e /etc/security/tsol/lef labelcfg:lef> set title="Sample Data Protection Policy" labelcfg:lef> add classification="Public" labelcfg:Public> set shortname="Public" labelcfg:Public> end labelcfg:lef> add classification="Confidential" labelcfg:Confidential> set shortname="Confidential" labelcfg:Confidential> end labelcfg:lef> add compartment="Internal Use Only" labelcfg:Internal Use Only> set minclass="Confidential" labelcfg:Internal Use Only> end labelcfg:lef> add compartment="Payment Data" labelcfg:Payment Data> set subcompartments="Internal Use Only" labelcfg:Payment Data> set minclass="Confidential" labelcfg:Payment Data> end labelcfg:lef> add compartment="Health Records" labelcfg:Health Records> set subcompartments="Internal Use Only" labelcfg:Health Records> set conflicts="Payment Data" labelcfg:Health Records> set minclass="Confidential" labelcfg:Health Records> end labelcfg:lef> add compartment="Highly Restricted" labelcfg:Highly Restricted> clear bit labelcfg:Highly Restricted> set minclass="Confidential" labelcfg:Highly Restricted> set subcompartments="Payment Data,Health Records" labelcfg:Highly Restricted> end labelcfg:lef> select classification="Confidential" labelcfg:Confidential> set invalid="" labelcfg:Confidential> end labelcfg:lef> set min_label=Public labelcfg:lef> set clearance="Confidential Internal Use Only" labelcfg:lef> verify labelcfg:lef> commit labelcfg:lef> exit #Example 3 Using the info Subcommand in the Encodings Context
% labelcfg -e /etc/security/tsol/lef labelcfg:lef> info title=Sample Data Protection Policy classification=Public level=1 classification=Confidential level=2 compartment=Highly Restricted subcompartments="Payment Data,Health Records" minclass=Confidential compartment=Payment Data bit=1 subcompartments="Internal Use Only" minclass=Confidential compartment=Health Records bit=2 subcompartments="Internal Use Only" conflicts="Payment Data" minclass=Confidential compartment=Internal Use Only bit=0 minclass=Confidential min_label=Public clearance=Confidential Internal Use OnlyExample 4 Using the list option to Show the Valid Labels
labelcfg:lef> list "Confidential Highly Restricted" "Confidential Payment Data" "Confidential Health Records" "Confidential Internal Use Only" Public labelcfg:lef>Example 5 Changing the Name of a Compartment
labelcfg:lef> select compartment="Heath Records"
labelcfg:Health Records> set name="Medical Records"
labelcfg:Medical Records> info
compartment=Medical Records
bit=2
subcompartments="Internal Use Only"
conflicts="Payment Data"
minclass=Confidential
labelcfg:Medical Records> end
labelcfg:lef>
See attributes(7) for descriptions of the following attributes:
|
Although labelcfg can be used with label encodings files from Trusted Extensions, it does not manage all of the fields that are described in the Compartmented Mode Workstation Labeling: Encodings Format. For example, it does not support Required Combinations or Printer Banners. So it may not be suitable for modifying existing encodings files.
sandbox(1), clearance(7), labels(7), chk_encodings(8), labeld(8)
The labelcfg command was added in Oracle Solaris 11.4.0.