Testing Labeling by Using the Compliance Encodings File
The sample compliance encodings file contains disjoint labels. Disjoint labels can prevent users from seeing department-private information. In the sample label_encodings.compliance file, the Health Records and Payment Data departments are disjoint. This policy isolates payment data from health records, both of which are highly restricted information. The policy is enabled by the commit command.
-
Commit then view the label encodings file.
# cd /etc/security/tsol # cp label_encodings.compliance label_encodings.compliance.orig # labelcfg -e label_encodings.compliance commit # labelcfg info title=Sample Data Protection Policy classification=Public level=1 classification=Confidential level=2 compartment=Highly Restricted subcompartments="Payment Data,Health Records" minclass=Confidential compartment=Payment Data bit=0 subcompartments="Internal Use Only" conflicts="Health Records" minclass=Confidential compartment=Health Records bit=1 subcompartments="Internal Use Only" conflicts="Payment Data" minclass=Confidential compartment=Internal Use Only bit=2 minclass=Confidential min_label=Public clearance=Confidential Internal Use Only
-
List the available labels.
# labelcfg list "Confidential Highly Restricted" "Confidential Payment Data" "Confidential Health Records" "Confidential Internal Use Only" Public -
Create a labeled file system for payment data and health records.
Add a few payment files and health files, correctly labeled.
-
Create users with different clearances.
For example, assign the Confidential Highly Restricted clearance to a user who can access everything, the Confidential Payment Data clearance to a user who can handle only payment data, and the Confidential Health Records to a user who can handle only health records. A user with the Confidential Internal Use Only clearance should not be able to see any payment or health information.
-
Reboot, then test.