1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. About Labeling in Oracle Solaris
  4. Labels and Clearances
  5. Label Components

Label Components

Labels and clearances consist of a single classification and zero or more compartments. The classification portion of a label indicates a relative level of trust. Classifications are hierarchical – a higher classification number indicates a higher level of trust. When a label is assigned to a file, the label's classification is one indication of the sensitivity of the information that the file contains.

Compartments provide a more fine-grained mechanism for specifying the user's level of trust. Compartments are typically used to indicate the scope of the trust. For example, a Human Resources compartment would indicate that the level of trust applies to Human Resource materials. When a clearance is assigned to a user, the classification portion of the clearance label indicates the user's level of trust and the compartment bits typically indicate the department where that level of trust applies.

In contrast to label numbers, the compartment bit numbers do not indicate dominance. However, compartments with subcompartments form a hierarchy that can be used to indicate levels of trust, such as the bits for Highly Restricted including the bit defined for Restricted.

Each classification corresponds to a unique positive integer from 0 to 255. Higher numbers dominate lower numbers. A label dominates another label if its classification is at least equal to the other label's classification and its compartments include all the bits in the other label's compartments.

Each compartment corresponds to one or more bits. In Oracle Solaris, the number of available compartment bits is 256, but many thousands of compartments can be created from these bits. You can use compartment bits to define hierarchical, disjoint, and overlapping relationships, as described in Label Relationships. Oracle Solaris assigns bit numbers to the compartments that you name. You can change the bit assignments.

As the administrator, you name your classifications from the lowest classification to the highest and Oracle Solaris assigns the numbers. You can modify the number assignments to redefine the hierarchy. The classification numbers you can use range from 1 to 254.

In the following figure, the label has been assigned a classification of 2. The classification name is "Confidential - ". The compartment names are Internal and Restricted. The Confidential - Internal label uses the classification value and one compartment bit. The Confidential - Restricted label uses the classification value and two bits, compartments 1 and 2.

Sample Label Definitions


Graphic shows the Confidential - Restricted and Confidential - Internal definitions.