Sources for Encodings Files

Sources for Encodings Files
Prev	Chapter 2. Planning Labels (Tasks)	Next

The label_encodings file is a flat text file. On a system that is configured with Trusted Extensions, the label of the file is ADMIN_HIGH to prevent ordinary users from reading it. The maximum line length in the label_encodings file is 256 bytes. The file can be edited with any text editor. The security administrator is responsible for the creation and distribution of the label_encodings file.

Note

The label_encodings file can be created or edited on any system. However, the file must be checked and tested on a host that is configured with Trusted Extensions.

Some organizations have a government-furnished label_encodings file that is based on Defense Intelligence Agency (DIA) specifications. Other organizations might want to base their encodings file on one of the files that are provided with the Trusted Extensions packages.

Labels Files in Solaris Trusted Extensions Packages

Trusted Extensions installs sample files in the /etc/security/tsol directory. These samples can be modified to your site requirements.

label_encodings.simple file

Is installed by Solaris Trusted Extensions software.

label_encodings.example file

Is similar to the example in Appendix A, Sample Label Encodings File.

The introduction to the appendix describes the label components in the file. Chapter 6, Example: Planning an Organization's Labels describes each step in creating this file.

label_encodings.gfi.single file

Is the U.S. Government single-level file.

label_encodings.single file

Is Sun's version of the U.S. Government single-level file. The color assignments are different.

label_encodings.gfi.multi file

Is the U.S. Government multilevel file.

label_encodings.multi file

Is Sun's version of the U.S. Government multilevel file. The combinations are less restricted, the minimum clearance is higher, the default user label is lower, and the colors are different.

Alternatively, you can build a label_encodings file from scratch. The syntax and structure of the label_encodings file is provided in Encodings File Syntax.

Default Label Encodings File

By default, the label_encodings.simple file is installed as /etc/security/tsol/label_encodings:

ACCREDITATION RANGE:  classification= public;
only valid compartment combinations:  public
minimum clearance= needtoknow;
minimum sensitivity label= public;
minimum protect as classification= public;

The ACCREDITATION RANGE definition restricts the user to the following label:

PUBLIC is defined as the only classification
PUBLIC is defined as the only valid compartment combination
NEEDTOKNOW is defined as the minimum clearance
PUBLIC is defined as the minimum sensitivity label
PUBLIC is defined as the minimum protect as classification

The Classifications section is illustrated in the following figure.

Figure 2.2. Classifications in Default label_encodings File

[D]

The compartments in the file are illustrated in the following figure.

Figure 2.3. Compartments in Default label_encodings File

[D]

Differences Between GFI Label Encodings Files

There are two government-furnished files, label_encodings.single and label_encodings.multi. The label_encodings.single file is single-level, and the label_encodings.multi is a multilevel version of the single-level file. The files also differ in the settings in the ACCREDITATION RANGE section. The ACCREDITATION RANGE section describes which classifications and compartments are available to ordinary users.

GFI Multilevel Label Encodings File

The ACCREDITATION RANGE settings in the label_encodings.multi file are shown in the following excerpt:

ACCREDITATION RANGE: 
classification= u;   all compartment combinations valid;
classification= c;   all compartment combinations valid;
classification= s;   all compartment combinations valid;
classification= ts;   all compartment combinations valid;

minimum clearance= c;
minimum sensitivity label= u;
minimum protect as classification= u;

The ACCREDITATION RANGE definitions enable the site to use all the classifications and compartment words that are defined in the label_encodings.multi file:

UNCLASSIFIED, CLASSIFIED, SECRET, and TOP SECRET are defined with all compartment combinations valid
CLASSIFIED is defined as the minimum clearance
UNCLASSIFIED is defined as the minimum sensitivity label
UNCLASSIFIED is defined as the minimum protect as classification

GFI Single Level Label Encodings File

The ACCREDITATION RANGE settings in the label_encodings.single file are shown in the following excerpt:

ACCREDITATION RANGE:  classification= s;
only valid compartment combinations:  s a b rel cntry1
minimum clearance= s Able Baker NATIONALITY: CNTRY1;
minimum sensitivity label= s A B REL CNTRY1;
minimum protect as classification= s;

The ACCREDITATION RANGE definition restricts the user to the following label:

SECRET is defined as the only classification
SECRET A B REL CNTRY1 is defined as the only valid compartment combination
SECRET ABLE BAKER NATIONALITY: CNTRY1 is defined as the minimum clearance
SECRET A B REL CNTRY1 is defined as the minimum sensitivity label
SECRET is defined as the minimum protect as classification

Sun Extensions to `label_encodings` File

Sun's implementation of the label_encodings file supports a LOCAL DEFINITIONS section. This section is optional. The section can be appended to an already-existing label_encodings file. The word LOCAL in the keyword that starts the section means local to Sun's implementation.

Options in the LOCAL DEFINITIONS section set label translation options and associate colors with labels. The title bars of application windows display each label against a background of the color that is specified for that label. If an invalid color or no color is specified in the COLOR NAMES option, a default color is supplied. Chapter 5, Customizing LOCAL DEFINITIONS describes how to modify the Sun extensions for your site.