1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. Viewing and Testing Sample Label Encodings Files
  4. Testing Labeling by Using the Default Encodings File

Testing Labeling by Using the Default Encodings File

  1. To test labels, you must set the clearance value to a user label in the default encodings file.

    The following commands list the available labels, set a new clearance value, and display the new clearance.

    # cp label_encodings.default label_encodings.default.orig
# labelcfg list
"Confidential - Highly Restricted"
"Confidential - Restricted"
"Confidential - Internal"
Public
# labelcfg 'set clearance="Confidential - Internal"'
# labelcfg info clearance
clearance=Confidential - Internal

    Note:

    The clearance value is typed within double quotes because it contains spaces. However, the shell interprets the double quotes and then removes them. When you surround the subcommand with single quotes, the shell removes the single quotes and leaves the double quotes.

  2. Create a labeled file system, mount it, and enable DAC access to any user.

    # zfs create -o multilevel=on -o encryption=on rpool/defaultenc
# zfs set mountpoint=/defaultenc rpool/defaultenc
# cd / ; cd rpool
# chmod 777 defaultenc

  3. Create test users at different clearances. Users who are created without a clearance inherit the default, Confidential - Internal.

    # useradd -m /export/home -K clearance="Confidential - Highly Restricted" high1
# useradd -m /export/home -K clearance="Confidential - Restricted" rest1
# useradd -m /export/home test1

  4. Reboot, then test.

    For various items to test, see How to Verify User Access to Labeled Files in Securing Users and Processes in Oracle Solaris 11.4.

  5. After the testing is complete, you can delete the labeled dataset, delete the users with high clearances, and enable the default label encodings file.

    # zfs destroy rpoot/defaultenc
# userdel -r high1 ; usermod -r rest1 ; usermod -r test1
# labelcfg -e /etc/security/tsol/label_encodings.default.orig commit

Example 3-4 Customizing a Test Label Policy

In this example, you modify the existing template with the name of your organization. This example calls the organization ExampleCo. 

# cd /etc/security/tsol
# cp label_encodings.default label_encodings.exampleco
# labelcfg -e label_encodings.exampleco
labelcfg:label_encodings.exampleco> set title="Data Protection Policy for ExampleCo"
labelcfg:label_encodings.exampleco> select classification="Confidential -"
labelcfg:Confidential -> set shortname="Conf ExampleCo -"
labelcfg:Confidential -> end
labelcfg:label_encodings.exampleco> set clearance="Conf ExampleCo - Internal"
labelcfg:label_encodings.exampleco> commit
labelcfg:label_encodings.exampleco> list
"Conf ExampleCo - Highly Restricted"
"Conf ExampleCo - Restricted"
"Conf ExampleCo - Internal"
Public
labelcfg:label_encodings.exampleco> info clearance
clearance=Conf ExampleCo - Internal
labelcfg:label_encodings.exampleco> exit

After you commit this label policy, regular users at login would be operating at the Conf ExampleCo - Internal label. Only users whom you configure with an explicit higher clearance can access sensitive files labeled as Conf ExampleCo - Restricted or Conf ExampleCo - Highly Restricted.