1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. Configuring Labels on an Oracle Solaris System
  4. Initially Configuring Labels in Oracle Solaris
  5. How to Configure Your Label Policy

How to Configure Your Label Policy

Complete a label policy assessment. To determine which labels to create, see Configuring Labels on an Oracle Solaris System.

You must be assigned the Object Label Management rights profile or be in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

Defining a label policy is the first step in data loss protection. Later you will assign labels to file systems, and assign selected users a clearance that is higher than the default to view sensitive files.

This procedure uses the following configuration parameters:

  • Encodings file = site-enc

  • Minimum label (Lower bound of user labels) = Public

  • Next higher classification = Confidential

  • Confidential label hierarchy = Confidential Internal Use Only, Confidential Restricted, Confidential Highly Restricted

  • Clearance (Upper bound of user labels) = Confidential Internal Use Only

  1. As root, assign the ADMIN_LOW clearance as the default clearance for all SMF services.

    If you are using the account-policy service, use the first option. For more information, see account-policy(8S) man page.

    • Modify the login_policy/clearance security attribute in SMF.

      Follow the How to Set Account Locking for All Logins in Securing Users and Processes in Oracle Solaris 11.4 procedure, and substitute login_policy/clearance for the property in the procedure.

    • DEPRECATED: Comment out the original line in the policy.conf file and add the ADMIN_LOW clearance. 

      # pfedit /etc/security/policy.conf
...
## Highest label at which SMF services run by default.
## For services that must run at a higher label, set a higher clearance
## on their start and restart methods.
#CLEARANCE=ADMIN_HIGH
CLEARANCE=ADMIN_LOW
...
  2. Create an encodings file.

    You can modify the label_encodings.compliance or label_encodings.default files in the /etc/security/tsol directory or create a new encodings file. The following command creates an encodings file from scratch. 

    # labelcfg -e /etc/security/tsol/site-enc
labelcfg:site-enc>
  3. Title the label policy.
    labelcfg:site-enc> set title="Name Label Policy"
  4. Define the labels you will use at your site to protect data.

    Start with the lowest classification, which is typically the Public classification. 

    labelcfg:site-enc> add classification="Public"
labelcfg:Public> set shortname="P"
labelcfg:Public> end

    Because public information is public throughout the organization, this label does not require compartments.

  5. Define the next higher classification.
    labelcfg:site-enc> add classification="Confidential"
labelcfg:Confidential> set shortname="Conf"
labelcfg:Confidential> end

    Add compartments to this classification to indicate levels of confidentiality from company-internal to very restricted.

  6. Create the lowest Confidential label by defining the classification's first compartment.
    labelcfg:site-enc> add compartment="Internal Use Only"
labelcfg:Internal Use Only> set minclass="Confidential"
labelcfg:Internal Use Only> end

    minclass indicates that this compartment cannot be used by the Public classification.

  7. Define the next higher label.

    This label is higher because its compartment bits include the Internal Use Only compartment bits. 

    labelcfg:site-enc> add compartment="Restricted"
labelcfg:Restricted> set minclass="Confidential"
labelcfg:Restricted> set subcompartments="Internal Use Only"
labelcfg:Restricted> end
  8. Define the next higher label and set Restricted as its subcompartment.
    labelcfg:site-enc> add compartment="Highly Restricted"
labelcfg:Highly Restricted> set minclass="Confidential"
labelcfg:Highly Restricted> set subcompartments=Restricted
labelcfg:Highly Restricted> end
  9. Define the min_label value.
    labelcfg:site-enc> set min_label=Public

    Choose a label that is suitable for the organization, such as Public. This label is the lower bound for all processes.

  10. Define the clearance and commit the label policy.
    labelcfg:site-enc> set clearance="Confidential Internal Use Only"
labelcfg:site-enc> commit

    This label is the default clearance for all user processes. Only users to whom you explicitly assign a higher label can access sensitive files.

  11. Display the details of your label hierarchy.
    labelcfg:site-enc> info
title=Organization's Label Policy
classification=Public
	level=1
classification=Confidential
	level=2
compartment=Highly Restricted
	bit=2
	subcompartments="Restricted"
	minclass=Confidential
compartment=Restricted
	bit=1
	minclass=Confidential
compartment=Internal Use Only
	bit=0
	minclass=Confidential
min_label=Public
clearance=Confidential Internal Use Only
labelcfg:site-enc> exit
  12. Save your work into a flat file.

    The export subcommand produces output that can be used as input to the labelcfg command to create the exported label policy. In this example, the administrator saves the file to a secure directory. 

    # labelcfg export -f /opt/adminfiles/site-enc-export1

Next Steps

If you have disjoint labels to define, you can do so now. For an example, see Example - Label Encodings File With Reused Compartment Bits and the labelcfg(8) man page.