JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Developer's Guide     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Trusted Extensions APIs and Security Policy

Understanding Labels

Label Types

Sensitivity Labels

Clearance Labels

Label Ranges

Label Components

Label Relationships

Trusted Extensions APIs

Label APIs

How Labels Are Used in Access Control Decisions

Types of Label APIs

Sensitivity Label APIs

Clearance Label APIs

Label Range APIs

Trusted X Window System APIs

Trusted Extensions Security Policy

Multilevel Operations

Write-Down Policy in the Global Zone

Default Security Attributes

Default Network Policy

Multilevel Ports

MAC-Exempt Sockets

Zones and Labels

Labels in the Global Zone

Labeled Zones

2.  Labels and Clearances

3.  Label Code Examples

4.  Interprocess Communications

5.  Trusted X Window System

6.  Label Builder GUI

7.  Trusted Web Guard Prototype

8.  Experimental Java Bindings for the Solaris Trusted Extensions Label APIs

A.  Programmer's Reference

B.  Trusted Extensions API Reference

Index

Understanding Labels

The Trusted Extensions software provides a set of policies and services to extend the security features of the Oracle Solaris OS. These extensions provide access control that is based on label relationships.

Labels control access to data and maintain the classification of data. The labels are attributes that are interpreted by the system security policy. The system security policy is the set of rules that is enforced by system software to protect information that is being processed on the system. The term security policy can refer to the policy itself or to the implementation of the policy. For more information, see Trusted Extensions Security Policy.

This section includes overview information about label types, ranges, components, and relationships.

Label Types

The Trusted Extensions software defines two types of labels: sensitivity labels and clearance labels. A sensitivity label indicates the security level of an entity and is usually referred to as a label. A clearance label defines the upper boundary of a label range and is usually referred to as a clearance.

Sensitivity Labels

The Trusted Extensions software uses zones to contain classified information at various levels. Each level is associated with its own zone that has a sensitivity label. The sensitivity label specifies the sensitivity of the information in that zone and is applied to all of the subjects and objects in that zone. A label might be something like CONFIDENTIAL, SECRET, or TOP SECRET. A subject is an active entity, such as a process, that causes information to flow among objects or changes a system's state. An object is a passive entity that contains or receives data, such as a file or device. All processes that run in a zone, all files that are contained in a zone, and so on, have the same sensitivity label as their zone. All processes and objects have a sensitivity label that is used in mandatory access control (MAC) decisions. By default, sensitivity labels are visible in the windowing system.

Clearance Labels

The security administrator assigns a clearance to each user. A clearance is a label that defines the upper boundary of a label range. For example, if you have a clearance of SECRET, you can access information that is classified at this level or lower, but not information that is classified at a higher level. A user clearance is assigned by the security administrator. It is the highest label at which a user can access files and initiate processes during a session. In other words, a user clearance is the upper boundary of a user's account label range. At login, a user selects his session clearance. The session clearance determines which labels a user can access. The session clearance sets the least upper bound at which the user can access files and initiate processes during that login session. The session clearance is dominated by the user clearance.

Label Ranges

The security administrator defines label ranges and label sets to enforce mandatory access control (MAC) policy. A label range is a set of labels that is bounded at the upper end by a clearance or a limit and at the lower end by a minimum label. A label limit is the upper bound of a label range. A label set contains one or more discrete labels that might be disjoint from one another. Labels in a label set do not dominate one another.

Label Components

A label contains a hierarchical classification and a set of zero or more nonhierarchical compartments. A classification is also referred to as a level or a security level. A classification represents a single level within a hierarchy of labels, for example, TOP SECRET or UNCLASSIFIED. A compartment is associated with a classification and represents a distinct, nonhierarchical area of information in a system, such as private information for a human resources (HR) group or a sales group. A compartment limits access only to users who need to know the information in a particular area. For example, a user with a SECRET classification only has access to the secret information that is specified by the associated list of compartments, not to any other secret information. The classification and compartments together represent the label of the zone and the resources within that zone.

The textual format of a classification is specified in the label_encodings file and appears similar to this:

CLASSIFICATIONS:
name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 190-239;
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;

The textual format of a compartment is specified in the label_encodings file and appears similar to this:

WORDS:
name= HR; minclass= C; compartments= 0;

For more information about label definitions and label formats, see Trusted Extensions Label Administration and Compartmented Mode Workstation Labeling: Encodings Format. For information about the label APIs, see Chapter 2, Labels and Clearances.

Label Relationships

Comparing labels means that the label of a process is compared to the label of a target, which might be a sensitivity label or a clearance label. Based on the result of the comparison, the process is either granted access or denied access to the object. Access is granted only when the label of the process dominates the label of the target. Label relationships and dominance are described later in this section. For examples, see Determining the Relationship Between Two Labels.

A security level is a numerical classification. A label indicates the security level of an entity and might include zero or more compartments. An entity is something that can be labeled, such as a process, zone, file, or device.

Labels are of the following types and relate to each other in these ways:

The label_encodings file is used to specify the classifications and compartments for labels. See the label_encodings(4) man page.

When any type of label has a security level that is equal to or greater than the security level of a second label, the first label is said to dominate the second label. This comparison of security levels is based on classifications and compartments in the labels. The classification of the dominant label must be equal to or greater than the classification of the second label. Additionally, the dominant label must include all the compartments in the second label. Two equal labels are said to dominate each other.

In the following sample excerpt of the label_encodings file, the REGISTERED (REG) label dominates the CONFIDENTIAL (C) label. The comparison is based on the value of each label's value keyword. The value of the REG label's value keyword is numerically greater than or equal to the value of the C label's value keyword. Both labels dominate the PUBLIC (P) label.

The value of the initial compartments keyword shows the list of compartments that are initially associated with the classification. Each number in the initial compartments keyword is a compartment bit, each of which represents a particular compartment.

CLASSIFICATIONS:
name= PUBLIC; sname= P; value= 1;
name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 190-239;
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;

The following label_encodings excerpt shows that the REG HR label (Human Resources) dominates the REG label. The REG HR label has the REGISTERED classification and the HR compartment. The compartments keyword for the HR compartment sets the 0 compartment bit, so the REG HR classification has compartments 0, 4–5, and 190–239 set, which is more than the compartments set by the REG classification.

CLASSIFICATIONS:
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;
...
WORDS:
name= HR; minclass= C; compartments= 0;

Sometimes, strict dominance is required to access an object. In the previous examples, the REG label strictly dominates the P label, and the REG HR label strictly dominates the REG label. When comparing labels, a REG label dominates another REG label.

Labels that do not dominate each other are said to be disjoint. A disjoint label might be used to separate departments in a company. In the following example, the REG HR label (Human Resources) is defined as being disjoint from the REG Sales label. These labels are disjoint because each compartment sets a different compartment bit.

CLASSIFICATIONS:
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;
...
WORDS:
name= HR; minclass= C; compartments= 0;
name= Sales; minclass= C; compartments= 1;

For information about label APIs, see Sensitivity Label APIs.