JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Label Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Labels in Trusted Extensions (Overview)

2.  Planning Labels in Trusted Extensions (Tasks)

3.  Creating a Label Encodings File (Tasks)

Encodings File Syntax

Word Order Requirements

Classification Name Syntax

Keywords for Classifications

Default and Inverse Words

Compartment Words

Hierarchical Compartment Words

Managing a Label Encodings File (Task Map)

How to Create a label_encodings File

How to Analyze and Verify the label_encodings File

How to Distribute the label_encodings File

How to Add or Rename a Classification

How to Specify Default and Inverse Words

How to Create a Single-Label Encodings File

How to Debug a label_encodings File

4.  Labeling Printer Output (Tasks)

5.  Customizing the LOCAL DEFINITIONS Section (Tasks)

6.  Planning an Organization's Encodings File (Example)

A.  Encodings File for SecCompany (Example)

Index

Managing a Label Encodings File (Task Map)


Caution

Caution - The safest time to modify a label_encodings file is before a regular user logs in. Proceed with caution when modifying a file that is in use. For details, see the label_encodings(4) man page.


The following task map describes the tasks for modifying and installing a label_encodings file.

Task
For Instructions
Create or modify the label_encodings file.
Test the label_encodings file.
Distribute the label_encodings file.
Debug a label_encodings file.
Change a classification definition.
Create default or inverse words.
Customize a single-label file.
Specify a label name.
Add a LOCAL DEFINITIONS section.

How to Create a label_encodings File

For sample files, see the /etc/security/tsol directory on an installed system. The files are described in Encodings Files From Trusted Extensions.

You can create a label_encodings file before you install Trusted Extensions on your first system. On that first system, you check the file. You can also create this file on the first system that you install with Trusted Extensions. The label_encodings file must be accurate and tested before a second system is configured with Trusted Extensions.

Before You Begin

On a system that is configured with Trusted Extensions, you must be in the Security Administrator role in the global zone. On other systems, you can create and edit the file in any text editor.

  1. Create a backup copy of the original label encodings file.
    # cp encodings-filename encodings-filename.orig
  2. In an editor, open the label encodings file.
  3. Modify the label encodings file.

    For details, see How to Plan the Encodings File.

  4. Save your changes.

Next Steps

Continue with How to Analyze and Verify the label_encodings File.

How to Analyze and Verify the label_encodings File

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Check the label definitions and the relationships of the labels.

    In a terminal, use the chk_encodings -a command to analyze and report on label relationships.

    $ /usr/sbin/chk_encodings -a encodings-file

    If the file does not pass, see How to Debug a label_encodings File for assistance. Do not continue to the next step until the file represents your label relationships correctly.

  2. Verify the syntax of the file.
    1. Run the chk_encodings command.
      # /usr/sbin/chk_encodings encodings-file
    2. Resolve errors.

      If the command reports errors, the errors must be resolved before continuing.

  3. Make the file the active label_encodings file.
    # cp /full-pathname-of-label-encodings-file \
     /etc/security/tsol/label.encodings.site
    # cd /etc/security/tsol
    # cp label_encodings label_encodings.tx.orig
    # cp label.encodings.site label_encodings
  4. Test the encodings file.

    Where possible, test the file on a few systems before approving the file for all systems at your site. For example, install one labeled system as a file server and another labeled system as a user's system. Communicate between the two at all labels. Transfer files at all labels, and so on.

Next Steps

When the file is ready to be installed on the network, see How to Distribute the label_encodings File.

How to Distribute the label_encodings File

  1. Create a master copy of the label_encodings file.

    For copying instructions, see How to Copy Files to Portable Media in Trusted Extensions in Trusted Extensions Configuration and Administration.


    Note - Store the master copy on labeled media in a protected location.


  2. Immediately after installing a system with Trusted Extensions, copy the master file onto the system.

    For copying instructions, see How to Copy Files From Portable Media in Trusted Extensions in Trusted Extensions Configuration and Administration.

How to Add or Rename a Classification

Before You Begin

You must be in the Security Administrator role in the global zone. To be able to add classifications, you left gaps in the classification numbers in the label_encodings file.

  1. Back up the label_encodings file.
    # cp label_encodings label_encodings.orig
  2. Edit the label_encodings file.
    # pfedit encodings-file
  3. Update the version number.

    In the VERSION= section update the version number and the date.

    VERSION= Trusted Extensions Example Version - 5.11 09/05/28

    SCCS keywords are used for the version number and the date. For details, see the sccs(1) man page.

    VERSION= MyCo Example Version - %I% %E%
  4. Add or rename the classification by performing one of the following:
    • In the CLASSIFICATIONS section, add the new classification.

      Specify a long name, short name, and numeric value.

      name= REGISTERED; sname= R; value= 15; 
    • In the CLASSIFICATIONS section, rename an existing classification.
      * name= INTERNAL_USE_ONLY; sname= IUO; value= 12; 
      name= INTERNAL; sname= I; value= 12; 
  5. Add the new classification to the ACCREDITATION RANGE section.

    The following example shows three new classifications that are added to the ACCREDITATION RANGE section. Each classification is specified with all compartment combinations valid.


    Note - If you rename a classification, update the name in the ACCREDITATION RANGE section.


    ACCREDITATION RANGE:
    
    classification= UNCLASSIFIED;        all compartment combinations valid;
    
    * i is new in this file
    classification= INTERNAL_USE_ONLY;   all compartment combinations valid;
    
    * n is new in this file
    classification= NEED_TO_KNOW;        all compartment combinations valid;
    
    classification= CONFIDENTIAL;        all compartment combinations valid except:
    c
    c a
    c b
    
    classification= SECRET;               only valid compartment combinations:
    . . .
    * r is new in this file
    classification= REGISTERED;           all compartment combinations valid;
  6. Adjust the ACCREDITATION RANGE section, if necessary.

    You might need to make the new classification a minimum classification.

    minimum clearance= u; 
    minimum sensitivity label= u; 
    minimum protect as classification= u;

    Note - Make sure that you set a minimum clearance that is dominated by all the clearances that you plan to assign to users. Similarly, make sure that the minimum sensitivity label is dominated by all the minimum labels that you plan to assign to users.


Next Steps

Verify the file by performing How to Analyze and Verify the label_encodings File.

Distribute the file by following How to Distribute the label_encodings File.

How to Specify Default and Inverse Words

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Back up the label_encodings file.
    # cp label_encodings label_encodings.orig
  2. Edit the label_encodings file.
    # pfedit encodings-file
  3. Specify initial compartments.

    In the CLASSIFICATIONS section, specify the initial compartments as part of the classification definition. For example, in the following CLASSIFICATIONS section, WEB COMPANY has two initial compartments, 4 and 5:

    CLASSIFICATIONS:
    name= PUBLIC;  sname= P;  value= 1;
    name= WEB COMPANY;  sname= WEBCO;  value= 2; initial compartments= 4-5 ;
  4. Specify a default word by assigning an initial compartment bit to the word.

    In the following example, the initial compartment bits, 4 and 5, are assigned to three words:

    name= DIVISION ONLY;  sname= DO;  minclass=  IUO; compartments= 4-5;
    name= WEBC AMERICA;  sname= WEBCA; minclass= IUO; compartments= 4;
    name= WEBC WORLD;  sname= WEBCW; minclass= IUO; compartments= 5;
  5. Specify an inverse word.

    Inverse words are created by preceding an initial compartment with a tilde (~).

    In the following example, the initial compartment bits, 4 and 5, are preceded by a tilde in the WEBC words:

    name= DIVISION ONLY;  sname= DO;  minclass=  IUO; compartments= 4-5;
    name= WEBC AMERICA;  sname= WEBCA; minclass= IUO; compartments= ~4;
    name= WEBC WORLD;  sname= WEBCW; minclass= IUO; compartments= ~5;
  6. Save your changes.

Next Steps

Verify the file by performing How to Analyze and Verify the label_encodings File.

Troubleshooting

For any compartment bits that are not reserved for later assignment, you need to assign a word to the bit in the following sections:

How to Create a Single-Label Encodings File

Certain labels must always be present in a label_encodings file:

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Open an existing encodings file or create a new one.

    Provide a name that is different from the installed label_encodings file.

    # pfedit label_encodings.myco.single
  2. Specify one classification and only the desired compartments.

    For example, you could set up an encodings file with the INTERNAL_USE_ONLY classification, and specify no words.

    VERSION= MyCompany Single-Label Encodings - 1.01 10/10/11
    . . .
    CLASSIFICATIONS:
    
    name= INTERNAL_USE_ONLY;       sname= INTERNAL;  value= 5;
    
    INFORMATION LABELS:
    
    WORDS:
    
    SENSITIVITY LABELS:
    
    WORDS:
    
    CLEARANCES:
    
    WORDS:
    
    CHANNELS:
    
    WORDS:
    
    PRINTER BANNERS:
    
    WORDS:
  3. In the ACCREDITATION RANGE section, include only one classification and one valid compartment combination.

    In the following example, the INTERNAL classification is encoded.

    ACCREDITATION RANGE:
    
    classification= INTERNAL;
    only valid compartment combinations:
    
    INTERNAL
    
    minimum clearance= INTERNAL;
    minimum sensitivity label= INTERNAL;
    minimum protect as classification= INTERNAL;
  4. Add and modify the LOCAL DEFINITIONS section.

    For details, see Modifying Oracle Extensions (Task Map).

Example 3-6 Defining the Accreditation Range in a Single-Label Encodings File

The following example shows the settings in the ACCREDITATION RANGE section for a single-level label encodings file. A single ANY_CLASS classification is defined. Compartment words A, B, and REL CNTRY 1 are specified for all types of labels.

ACCREDITATION RANGE:

classification= ANY_CLASS;      only valid compartment combinations:

ANY_CLASS A B REL CNTRY1

minimum clearance= ANY_CLASS A B REL CNTRY1;
minimum sensitivity label= ANY_CLASS A B REL CNTRY1;
minimum protect as classification= ANY_CLASS;

Example 3-7 Changing the Single Label Name

In this example, the label_encodings.example file is changed to handle a single-label company. The name= value is changed from SECRET to INTERNAL_USE_ONLY. The sname= value is changed from s to INTERNAL. Neither the value= nor the initial compartments= definition is changed.

CLASSIFICATIONS:
name= INTERNAL_USE_ONLY;  sname= INTERNAL;  value= 5; initial compartments= 4-5
190-239;

In the ACCREDITATION RANGE section, the short name of the classification is replaced. Also, the minimum values are replaced with the new sname.

ACCREDITATION RANGE:

classification= INTERNAL;      only valid compartment combinations:

INTERNAL

minimum clearance= INTERNAL;
minimum sensitivity label= INTERNAL;
minimum protect as classification= INTERNAL;

Next Steps

Verify the file by performing How to Analyze and Verify the label_encodings File.

Distribute the file by following How to Distribute the label_encodings File.

How to Debug a label_encodings File

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. In an editor, check the entries in the INFORMATION LABELS: WORDS: section.

    The entries must exactly match the entries in the SENSITIVITY LABELS: WORDS: section.


    Tip - Encode the sensitivity label words, then copy the words to the INFORMATION LABELS section.


  2. Check that no label in the user accreditation range has a value of 0 with no compartment bits.

    This step ensures that no label is indistinguishable from the label ADMIN_HIGH.

  3. Check that no label in the user accreditation range has a value of 255 with all compartment bits from 0 to 239.

    This step ensures that no label is indistinguishable from the label ADMIN_HIGH.

  4. Check that no compartment has a value higher than 239.

    This step ensures that all labels can be mapped to CIPSO labels.

  5. For labels that cannot be resolved, do the following:
    1. Reset any objects with the new labels to a low system label, ADMIN_LOW.
    2. Restore a known, usable label_encodings file from backup.
    3. Use the chk_encodings -a command to analyze the label problems in the faulty file.