The safest time to modify a label_encodings file
is when the first host is installed. Proceed with caution when modifying a
file that is in use. For details, see the
label_encodings
(
4
)
man page.
|
Task |
For Instructions |
|---|---|
|
Create or change the |
How to Create a |
|
Test the |
How to Analyze and Verify the |
|
Distribute the |
How to Distribute the |
|
Debug a |
How to Debug a |
|
Change a classification definition |
How to Add or Rename a Classification |
|
Create default or inverse words |
How to Specify Default and Inverse Words |
|
Customize a single-label file |
How to Create a Single-Label Encodings File |
|
Specify a label name |
Example 3–9 |
|
Add a |
How to Add Sun Extensions to an Encodings File |
|
Prevent specific users from seeing labels |
How to Hide Labels From a User in Solaris Trusted Extensions Administrator’s Procedures |
|
Prevent all users of a particular system from seeing labels |
How to Modify policy.conf Defaults in Solaris Trusted Extensions Administrator’s Procedures |
How to Create a label_encodings File
For sample files, see the /etc/security/tsol directory
on an installed system. The files are described in.Labels Files in Solaris Trusted Extensions Packages.
You can create this file before you install Trusted Extensions on your first system. On that first system, you check the file. You can also create this file on the first system that you install with Trusted Extensions. This procedure must be completed before a second computer is configured with Trusted Extensions.
On a system that is configured with Trusted Extensions, you must be in the global zone in the Security Administrator role. On other systems, you can create and edit the file in any editor.
Create a backup copy of the original file.
Open a new or existing version of the file.
On a system that is not configured with Trusted Extensions, use any editor to create the file.
On a system that is configured with Trusted Extensions, use the Edit Encodings action to create the file.
In CDE, the Trusted_Extensions folder in the Application Manager contains two actions for the encodings file.
Edits and checks the syntax of the specified label_encodings file.
Checks the syntax of a specified label_encodings file.
Modify the file.
For details, see How to Plan the Encodings File.
Continue with How to Analyze and Verify the label_encodings File.
How to Analyze and Verify the label_encodings File
You must be in the global zone in the Security Administrator role.
Check the syntax and relationships of the labels.
In a terminal, use the chk_encodings -a command to analyze and report on label relationships.
$ chk_encodings -a encodings-file
Verify the file.
The Check Encodings action runs the chk_encodings command on the specified file.
If the file passes, install it.
Do you want to install this label_encodings file? yes
If the file does not pass, see How to Debug a label_encodings File for assistance.
Test the encodings file.
Where possible, test the file on a few systems before approving the file for all systems at your site.
Create a master copy.
For copying instructions, see How to Copy Files to Portable Media in Solaris Trusted Extensions Installation and Configuration .
Save a labeled copy of the file in a protected location.
How to Distribute the label_encodings File
Create a master copy.
For copying instructions, see How to Copy Files to Portable Media in Solaris Trusted Extensions Installation and Configuration .
Immediately after installing a system with Trusted Extensions, copy the master file onto the system.
For copying instructions, see How to Copy Files From Portable Media in Solaris Trusted Extensions Installation and Configuration .
How to Add or Rename a Classification
You must be in the Security Administrator role in the global zone.
Edit the label_encodings file.
Use
the Edit Encodings action. For details, see How to Create a label_encodings File.
Specify a version number.
In the VERSION= section
put your site's name, a title for the file, a version number and the date.
VERSION= Sun Microsystems, Inc. Example Version - 5.10 04/05/28
Sun uses SCCS keywords for the version number and the date. For details, see the sccs ( 1 ) man page.
VERSION= Sun Microsystems, Inc. Example Version - %I% %E%
Specify the classification.
In the CLASSIFICATIONS section, supply the long name, short name, and numeric value for
the new classification.
name= NEW_CLASS; sname= N; value= 2;
Include the new classification in the accreditation range.
Add the new classification to the ACCREDITATION RANGE section.
The following example shows three new classifications added to
the ACCREDITATION RANGE section. Each classification is
specified with all compartment combinations valid.
ACCREDITATION RANGE: classification= UNCLASSIFIED; all compartment combinations valid; * i is new in this file classification= INTERNAL_USE_ONLY; all compartment combinations valid; * n is new in this file classification= NEED_TO_KNOW; all compartment combinations valid; classification= CONFIDENTIAL; all compartment combinations valid except: c c a c b classification= SECRET; only valid compartment combinations: . . . * r is new in this file classification= REGISTERED; all compartment combinations valid;
Adjust the ACCREDITATION RANGE section if
necessary.
You might need to make the new classification a minimum classification.
minimum clearance= u; minimum sensitivity label= u; minimum protect as classification= u;
Make sure that you set a minimum clearance that is dominated by all the clearances that you plan to assign to users. Similarly, make sure that the minimum sensitivity label is dominated by all the minimum labels that you plan to assign to users.
Save your changes.
How to Specify Default and Inverse Words
You must be in the Security Administrator role in the global zone.
Edit the label_encodings file.
Use
the Edit Encodings action. For details, see How to Create a label_encodings File.
Specify initial compartments.
In the CLASSIFICATIONS section, specify compartments as part of the classification definition.
CLASSIFICATIONS: name= PUBLIC; sname= P; value= 1; name= WEB COMPANY; sname= WEBCO; value= 2; initial compartments= 4-5 ;
Specify a default word.
Assign an initial compartment bit to the word.
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments= 4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments= 5;
Specify an inverse word.
Inverse words are created by preceding an initial compartment with a tilde (~).
name= DIVISION ONLY; sname= DO; minclass= IUO; compartments= 4-5; name= WEBC AMERICA; sname= WEBCA; minclass= IUO; compartments=~4; name= WEBC WORLD; sname= WEBCW; minclass= IUO; compartments=~5;
Save your changes.
How to Create a Single-Label Encodings File
Certain labels must always be present in a label_encodings file:
One sensitivity label in the user accreditation range must be defined
One clearance in the user accreditation range must be defined
One information label in the user accreditation range must be defined
You must be in the Security Administrator role in the global zone.
Edit an encodings file.
Use the Edit Encodings action.
For details, see How to Create a label_encodings File. Provide a name that is different from the installed label_encodings file.
Create an encodings file with only one classification and only the desired compartments.
For example, you could set up an encodings
file with the INTERNAL_USE_ONLY classification, and specify
no words.
VERSION= Single-Label Encodings . . . CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; INFORMATION LABELS: WORDS: SENSITIVITY LABELS: WORDS: CLEARANCES: WORDS: CHANNELS: WORDS: PRINTER BANNERS: WORDS:
In the ACCREDITATION RANGE section, include
only one classification and one valid compartment combination.
The
following example encodes the INTERNAL classification.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;
Encode the LOCAL DEFINITIONS section.
For details, see Chapter 5, Customizing LOCAL DEFINITIONS
.
Ensure that the file is syntactically correct.
If the file does not pass chk_encodings, see How to Debug a label_encodings File
Otherwise, continue with How to Analyze and Verify the label_encodings File.
Configure labels so that they are not visible to users.
For the steps, see How to Hide Labels From a User in Solaris Trusted Extensions Administrator’s Procedures .
Example 3.8. Defining the Accreditation Range in a Single-Label Encodings File
The following example shows the settings in the ACCREDITATION
RANGE: section. A single ANY_CLASS classification
is defined. Compartments words A, B,
and REL CNTRY 1 are specified for all types of labels.
ACCREDITATION RANGE: classification= ANY_CLASS; only valid compartment combinations: ANY_CLASS A B REL CNTRY1 minimum clearance= ANY_CLASS A B REL CNTRY1; minimum sensitivity label= ANY_CLASS A B REL CNTRY1; minimum protect as classification= ANY_CLASS;
Example 3.9. Changing the Single Label Name
In this example, the label_encodings.example file
is changed to handle a single-label company. The name= value
is changed from SECRET to INTERNAL_USE_ONLY.
The sname= value is changed from s to INTERNAL. Neither the value= nor the initial
compartments= definition is changed.
CLASSIFICATIONS: name= INTERNAL_USE_ONLY; sname= INTERNAL; value= 5; initial compartments= 4-5 190-239;
In the ACCREDITATION RANGE section, the short name
of the classification is replaced. Also, the minimums are replaced with the
new sname.
ACCREDITATION RANGE: classification= INTERNAL; only valid compartment combinations: INTERNAL minimum clearance= INTERNAL; minimum sensitivity label= INTERNAL; minimum protect as classification= INTERNAL;
How to Add Sun Extensions to an Encodings File
You must be in the Security Administrator role in the global zone. You
must have an encodings file that does not have a LOCAL DEFINITIONS section.
Add the LOCAL DEFINITIONS section to your file.
Append the section from a Sun-supplied label_encodings file.
Sun-supplied files are in the /etc/security/tsol directory.
Customize the extensions for your site.
For details, see Modifying Sun Extensions (Task Map).
How to Debug a label_encodings File
You must be in the Security Administrator role in the global zone.
Edit the label_encodings file.
Use
the Edit Encodings action. For details, see How to Create a label_encodings File.
Check the entries in the INFORMATION LABELS: WORDS: section.
The entries must exactly match the entries in the SENSITIVITY
LABELS: WORDS: section.
Encode the sensitivity label words, then copy the words to the INFORMATION LABELS section.
Check that no label in the user accreditation range has a value of 0 with no compartment bits.
This step ensures that no label
is indistinguishable from the label ADMIN_HIGH.
Check that no label in the user accreditation range has a value of 255 with all compartment bits from 0 to 239.
This step ensures
that no label is indistinguishable from the label ADMIN_HIGH.
Check that no compartment has a value higher than 239.
This step ensures that all labels can be mapped to CIPSO labels.
For labels that cannot be resolved, do the following:
Reset any objects with the new labels to a low system label, ADMIN_LOW.
Restore a known, usable label_encodings file
from the backup.
Use the chk_encodings -a command to analyze the label problems in the faulty file.