Label Relationships

Labels can have hierarchical relationships, disjoint relationships, and overlapping relationships. For a label encodings file that illustrates these relationships, see Example - Label Encodings File With Reused Compartment Bits.

• Hierarchical relationships are formed when a label dominates another label. A label dominates another label when its classification is at least equal to the other's classification and its compartments include all the bits in the other's compartments. For example, a classification that you created named Confidential that Oracle Solaris might represent internally as number 3 dominates a classification that you created named Public that is internally represented as 1.

  Compartments are represented as arbitrary numbers. Compartments can be hierarchical when the bits of a subcompartment are a subset of one or more other compartments. Subcompartments can also include their own subcompartments. These subcompartments can contain unique bits in addition to the subsets of the compartment bits. A simple example of a compartment and a subcompartment is Highly Restricted with the Restricted subcompartment. Internally, Oracle Solaris adds the Restricted bit to the Highly Restricted bit, so if the Restricted subcompartment is bit 2, Highly Restricted might be bits 2 and 3.

• Disjoint relationships are formed when labels with the same classification have different compartment bits. You can also specify that labels conflict. Disjoint labels are useful to isolate sensitive department information from personnel outside the department. For example, you might create the labels Confidential - Finance: Payroll and Confidential - Finance: Accounts to be disjoint.

• Overlapping relationships are formed when compartments share one or more bits but each compartment has at least one unique bit. Overlapping labels are useful to define an alias, such as an Information Technology alias for writers, course developers, web content providers, and editors.