Defining the Set of Labels

In this section, SecCompany's set of labels is defined in lists that include the following required aspects of labels:

Classifications
Other words
Relationships between and among the words
Classification restrictions that are associated with use of each word
Intended use of the words in sensitivity labels and clearances
Intended use of the words in labeling system output, such as printouts and email

Planning the Classifications

Because the four labels are hierarchical, they are encoded as hierarchical classifications.

With the legal department's approval, the security administrator shortens the labels by omitting SecCompany Confidential: from the label names. Long classifications make labels hard to read in window title bars. The name of a label is truncated from right to left in title bars. Because the truncated names of all the label names above PUBLIC would begin with the words SECCOMPANY CONFIDENTIAL, the truncated names would be indistinguishable without manually extending the frame for each window.

The security administrator defines the following labels:

REGISTERED
NEED_TO_KNOW
INTERNAL_USE_ONLY
PUBLIC

Planning the Compartments

The group names will be encoded as non-hierarchical compartments. Compartments will be restricted to appear only in labels that have the NEED_TO_KNOW classification. Compartment restrictions are encoded in the ACCREDITATION RANGE section under COMBINATION CONSTRAINTS in the label_encodings file.

User clearances will control which users can create files and directories that have a group name in the label. User clearances will also control which users can create documents that have a label with more than one group name along with the NEED_TO_KNOW classification.

Planning the Use of Words in MAC

The classifications and compartments in sensitivity labels and user clearances are used in mandatory access control (MAC). Therefore, the legal department's hierarchical labels and the group names need to be encoded as classifications and compartments so that they can be used in the labels that control which individual employees can access files and do other work.

SecCompany defines two sensitivity labels:

PUBLIC, which is assigned the lowest value in the user accreditation range
INTERNAL_USE_ONLY, which is assigned the next highest value above PUBLIC

An employee with no authorizations whose clearance is PUBLIC and whose minimum label is PUBLIC can use the system as follows:

Works only in a PUBLIC workspace
Creates files only at the PUBLIC label
Reads email only at the PUBLIC label
Uses printers that have PUBLIC in their label range

In contrast, an employee with no authorizations whose clearance is INTERNAL_USE_ONLY can use the system as follows:

Works in either a PUBLIC or an INTERNAL_USE_ONLY workspace
Creates files at either the PUBLIC label or the INTERNAL_USE_ONLY label, depending on the employee's current workspace
Receives and sends email at either sensitivity label
Can print a file that is labeled PUBLIC on any printer with PUBLIC in its label range
Can send a file labeled INTERNAL_USE_ONLY to any printer with INTERNAL_USE_ONLY in its label range

Planning the Use of Words in Labeling System Output

When the sensitivity label of a print job contains a group name compartment, the mandatory printer banner and trailer pages print the following text:

DISTRIBUTE_ONLY_TO Group Name (Non-Disclosure Agreement Required)

Planning Unlabeled Printer Output

Users who are directed to an unlabeled printer can print output with no labels. Users in a labeled zone with its own print server can print output with no labels if they are assigned the solaris.print.nolabel authorization. Roles can be configured to print output with no labels to a local printer that is controlled by a Trusted Extensions print server.

Planning for Supporting Procedures

The security administrator creates security policies to enforce the labeling strategy.

Rules for Protecting a `REGISTERED` File or Directory

The security administrator realizes that anyone with a clearance that includes the word REGISTERED can access any registered information anywhere in the company. Further precautions are needed. For example, users who have REGISTERED in their clearance must be instructed to use UNIX permissions to protect their files. Permissions must be set so that only the owner can view or modify the file. The following example shows a user who is applying discretionary access control to protect the contents of a REGISTERED directory.

As the following example shows, the user who creates a file or directory while working at an sensitivity label of REGISTERED needs to set the file's permissions to be read and write for the owner only. Directory permissions are set to be readable, writable, and searchable only by the owner. These permissions ensure that another user who can work at the REGISTERED label cannot read the file.

Example 6-1 Using DAC to Protect Registered Information

% plabel 
REGISTERED
% mkdir registered.dir
% chmod 700 registered.dir
% cd registered.dir
% touch registered.file
% ls -l
-rwxrwxrwx registered.file
% chmod 600 registered.file
% ls -l
-rw------- registered.file

Rules for Configuring Printers

The following table shows how printers that are available to various SecCompany departments need to be configured.

Table 6-1 Label Ranges on SecCompany Printers at Various Locations

Printer Location	Type of Access	Label Range
Lobby or public meeting room	Anyone	`PUBLIC` only
Internal company printer room	Available to all people who have signed nondisclosure agreements	`PUBLIC` to `INTERNAL_USE_ONLY`
Restricted area for one group	Members of a group specified in the `NEED_TO_KNOW` `group-name` compartment	`NEED_TO_KNOW` `group-name` only
Strictly controlled area	Available only to people who have the `REGISTERED` classification in their clearance	`REGISTERED` only

For more information, see Chapter 19, Managing Labeled Printing (Tasks), in Trusted Extensions Configuration and Administration.

Rules for Handling Printer Output

People who have access to restricted printers are instructed to do the following:

Protect information according to the instructions on the banner and trailer pages of printed output.
Shred jobs that do not have both a banner and a trailer page. Also, shred jobs that do not have matching job numbers on the banner and trailer pages.

Planning the Classification Values in a Worksheet

The worksheet in the following table shows names and hierarchical values that are defined for the four classifications for SecCompany. Because the value 0 is reserved for the administrative ADMIN_LOW label, the value of the PUBLIC classification is set to 1. The values of the other classifications are set higher in ascending order of sensitivity.

Note - The names of groups in the labels are specified later, as WORDS in the SENSITIVITY LABELS and CLEARANCES sections.

Table 6-2 Classifications Planner for SecCompany

name=	sname=/aname=	value=	initial compartments= bit numbers/WORD
`PUBLIC`	`PUB`	1	None
`INTERNAL_USE_ONLY`	`IUO`	4	None
`NEED_TO_KNOW`	`NTK`	5	None
`REGISTERED`	`REG`	6	None

Planning the Compartment Values and Combination Constraints in a Worksheet

The following table defines the relationships between words and classifications. The relationships were determined by using the planning board in Figure 6-4. PUBLIC and INTERNAL_USE_ONLY can never appear in a label with any compartment. NEED_TO_KNOW can appear in a label with any of the compartments or all of the compartments. The classification and compartment values are listed in ascending bit order.

Table 6-3 Compartments and User Accreditation Range Combinations Planner for SecCompany

Classification	Compartment Name/ sname/ Bit	Combination Constraints
`PUBLIC`		`PUBLIC` Only valid combinations
`INTERNAL_USE_ONLY`		`INTERNAL_USE_ONLY` Only valid combinations
`NEED_TO_KNOW`	`EXECUTIVE_MANAGEMENT_GROUP`/ `EMGT`/ 11	`NEED_TO_KNOW` All combinations valid
	`SALES`/ `SALES`/ 12
	`FINANCE`/ `FIN`/ 13
	`LEGAL`/ `LEGAL`/ 14
	`MARKETING`/ `MKTG`/ 15 20
	`HUMAN_RESOURCES`/ `HR`/ 16
	`ENGINEERING`/ `ENG`/ 17 20
	`MANUFACTURING`/ `MFG`/ 18
	`SYSTEM_ADMINISTRATION`/ `SYSADM`/ 19
	`PROJECT_TEAM`/ `SYSADM`/ 20
	`ALL_DEPARTMENTS`/ `ALL`/ 11-20
`REGISTERED`		`REGISTERED` Only valid combinations

The security administrator uses the following table to track which bits have been used for compartments.

Table 6-4 Compartment Bits Planner for SecCompany

Planning the Clearances in a Worksheet

The components of these labels are also assigned to users in clearances. The worksheet's Clearance Planner in Table 6-5 defines the label components to be used in clearances at SecCompany.

The following key to Table 6-5 lists the components in descending classification bit order and ascending compartment bit order:

Abbreviation	Name	Component
`REG`	`REGISTERED`	`CLASS`
`NTK`	`NEED_TO_KNOW`	`CLASS`
`IUO`	`INTERNAL_USE_ONLY`	`CLASS`
`PUB`	`PUBLIC`	`CLASS`
`EMGT`	`EXECUTIVE_MANAGEMENT_GROUP`	`COMP`
`SALES`	`SALES`	`COMP`
`FIN`	`FINANCE`	`COMP`
`LEGAL`	`LEGAL`	`COMP`
`MKTG`	`MARKETING`	`COMP`
`HR`	`HUMAN_RESOURCES`	`COMP`
`ENG`	`ENGINEERING`	`COMP`
`MFG`	`MANUFACTURING`	`COMP`
`SYSADM`	`SYSTEM_ADMINISTRATION`	`COMP`
`P_TEAM`	`PROJECT_TEAM`	`COMP`
`ALL`	`ALL_DEPARTMENTS`	`COMP`

Table 6-5 Clearance Planner for SecCompany

CLASS	COMP	COMP	COMP	COMP	COMP	COMP	COMP	COMP	COMP	COMP	COMP	Notes
`REG`	`EMGT`	`ENG`	`FIN`	`HR`	`LEGAL`	`MFG`	`MKTG`	`SALES`	`SYSADM`	`P_TEAM`	`ALL`	Highest possible label, not used *
`REG`												Assigned to personnel as needed §
`NTK`	`EMGT`											Assigned to `EMGT` group
`NTK`		`ENG`										Assigned to `ENG` group
`NTK`			`FIN`									Assigned to `FIN` group
`NTK`				`HR`								Assigned to `HR` group
`NTK`					`LEGAL`							Assigned to `LEGAL` group
`NTK`						`MFG`						Assigned to `MFG` group
`NTK`							`MKTG`					Assigned to `MKTG` group
`NTK`								`SALES`				Assigned to `SALES` group
`NTK`									`SYSADM`			Assigned to `SYSADM` group
`NTK`										`P_TEAM`		Assigned to `P_TEAM` group
`NTK`											`ALL`	Assigned to all groups
`IUO`												Assigned to people with `NDA`s
`PUB`												Assigned to anyone

* The highest possible label in the system consists of the highest classification and all of the defined compartments. Because no one is permitted to access all information in all departments, this label is not in the user accreditation range. No one is assigned this clearance.

§ When working at the REGISTERED sensitivity label, the user must set permissions to restrict access to everyone except the owner. UNIX file permissions of 600 and directory permissions of 700 restrict access.

Planning the Printer Banners in a Worksheet

The SecCompany legal department wants the following to appear on banner and trailer pages of printed output:

SecCompany Confidential:

The PRINTER BANNERS section of the label_encodings file can be used to associate a string with any compartment that appears in the sensitivity label of the print job. In this encodings file, only the NEED_TO_KNOW classification has compartments. The following table shows how the desired wording is specified as a prefix and assigned to each compartment. The abbreviation NTK is assigned to each channel so that the wording in the PRINTER BANNERS section includes the group name, as follows:

SecCompany Confidential: group-name

In the following planner, the words in the second column are listed in order of ascending bit order.

Table 6-6 Printer Banners Planner for SecCompany

Prefix	Printer Banner (Word, No Suffix)
`SECCOMPANY CONFIDENTIAL:`	`EXECUTIVE_MANAGEMENT_GROUP`
`SECCOMPANY CONFIDENTIAL:`	`SALES`
`SECCOMPANY CONFIDENTIAL:`	`FINANCE`
`SECCOMPANY CONFIDENTIAL:`	`LEGAL`
`SECCOMPANY CONFIDENTIAL:`	`MARKETING`
`SECCOMPANY CONFIDENTIAL:`	`HUMAN_RESOURCES`
`SECCOMPANY CONFIDENTIAL:`	`ENGINEERING`
`SECCOMPANY CONFIDENTIAL:`	`MANUFACTURING`
`SECCOMPANY CONFIDENTIAL:`	`SYSTEM_ADMINISTRATION`
`SECCOMPANY CONFIDENTIAL:`	`PROJECT_TEAM`
`SECCOMPANY CONFIDENTIAL:`	`ALL_DEPARTMENTS`

Planning the Channels in a Worksheet

The SecCompany legal department wants the following handling instructions to appear on banner and trailer pages on printed output:

DISTRIBUTE_ONLY_TO group-name EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED)

This goal is met by assigning in the CHANNELS section the same compartment bits that were assigned to group names in Table 6-3. SecCompany plans to use the same group names in both the compartments and the channels.

The words that precede the channel name are specified as prefixes. The words that follow the channel name are specified as suffixes. The security administrator specifies prefixes and suffixes in the following planner. The planner lists the channels in ascending compartment bit order.

Table 6-7 Channels Planner for SecCompany

Prefix	Channel	Suffix
`DISTRIBUTE_ONLY_TO`	`EXECUTIVE_MANAGEMENT_GROUP`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`SALES`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`FINANCE`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`LEGAL`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`MARKETING`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`HUMAN_RESOURCES`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`ENGINEERING`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`MANUFACTURING`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`SYSTEM_ADMINISTRATION`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`PROJECT_TEAM`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`
`DISTRIBUTE_ONLY_TO`	`ALL_DEPARTMENTS`	`EMPLOYEES (NON-DISCLOSURE_AGREEMENT_REQUIRED)`

Planning the Minimum Labels in an Accreditation Range

The following minimum values must be set:

Minimum sensitivity label
Minimum clearance
Minimum “Protect As” classification

SecCompany wants employees to be able to use all the defined sensitivity labels. Also, the company wants to be able to assign the PUBLIC clearance to some employees. Therefore, the minimum sensitivity label and the minimum clearance need to be set to PUBLIC.

The minimum “Protect As” classification is printed on banner and trailer pages instead of the actual classification from the job's sensitivity label. The minimum “Protect As” classification can be set higher than the actual minimum classification. However, SecCompany requirements allow the minimum “Protect As” classification to always be equal to the real classification of the print job's sensitivity label. The security administrator specifies the value PUBLIC for the minimum sensitivity label, minimum clearance, and minimum “Protect As” classification.

Planning the Colors in a Worksheet

The color that is assigned to a label displays as the background color whenever the name of the label appears at the top of a window. The lettering is displayed in a color that is computed by the windowing system to complement the background. At SecCompany, the security administrator chooses to keep the colors that are already assigned to the administrative labels in the default label_encodings file. The administrator assigns green to PUBLIC, yellow to INTERNAL_USE_ONLY, blue to labels that contain NEED_TO_KNOW (with different shades of blue assigned to each compartment), and red to REGISTERED. The following table shows the color assignments, and the default color assignments for the ADMIN_LOW and ADMIN_HIGH labels.

Table 6-8 Color Names Planner for SecCompany

Label or Name (`label=` or `name=`)	Color
`ADMIN_LOW`	#BDBDBD
`PUBLIC`	green
`INTERNAL_USE_ONLY`	yellow
`NEED_TO_KNOW`	blue
`NEED_TO_KNOW EMGT`	#7FA9EB
`NEED_TO_KNOW SALES`	#87CEFF
`NEED_TO_KNOW FIN`	#00BFFF
`NEED_TO_KNOW LEGAL`	#7885D0
`NEED_TO_KNOW MKTG`	#7A67CD
`NEED_TO_KNOW HR`	#7F7FFF
`NEED_TO_KNOW ENG`	#007FFF
`NEED_TO_KNOW MFG`	#0000BF
`NEED_TO_KNOW SYSADM`	#5B85D0
`NEED_TO_KNOW P_TEAM`	#9E7FFF
`NEED_TO_KNOW ALL`	#4D658D
`REGISTERED`	red
`ADMIN_HIGH`	#636363

Skip Navigation Links
Exit Print View
	Trusted Extensions Label Administration Oracle Solaris 11.1 Information Library