In this section the set of labels is defined in lists that include all of the following required aspects of labels:
Classifications
Other words
Relations between and among the words
Classification restrictions that are associated with use of each word
Intended use of the words in sensitivity labels and clearances
Intended use of the words in labeling system output, such as print and email
Because the four labels are hierarchical, the four labels are encoded as hierarchical classifications.
With the legal department's approval, the security administrator shortened
the labels by omitting SecCompany Confidential: from the label names. Long
classifications make labels hard to read in window frames. The name of a label
is truncated from right to left in the window frames. Because the truncated
names of all the label names above PUBLIC would begin with
the words SECCOMPANY, the truncated names would be indistinguishable
without manually extending the frame for each window.
The security administrator defined the following labels:
REGISTERED
NEED_TO_KNOW
INTERNAL_USE_ONLY
PUBLIC
The group names will be encoded as non-hierarchical compartments.
Compartments will be restricted to appear only in labels that have the NEED_TO_KNOW classification. Compartment restrictions are encoded in the ACCREDITATION
RANGE section under COMBINATION CONSTRAINTS.
User clearances will control which users can create
files and directories that have a group name in the label. User clearances
will also control which users can create documents that have a label with
more than one group name along with the NEED_TO_KNOW classification.
The classifications and compartments in sensitivity labels and user clearances are used in mandatory access control (MAC). Therefore, the legal department's hierarchical labels and the group names need to be encoded as classifications and compartments so that they can be used in the labels that control which individual employees can access files and do other work.
SecCompany, Inc. defines a sensitivity label with the PUBLIC classification,
which is assigned the lowest value in the User Accreditation Range, and another
sensitivity label with the INTERNAL_USE_ONLY classification
with the next highest value above PUBLIC.
An employee with no authorizations whose clearance is PUBLIC and whose minimum label is PUBLIC is able to
use the system as follows:
Works only in a PUBLIC workspace.
Creates files only at PUBLIC.
Reads email only at PUBLIC.
Uses printers that have PUBLIC in their
label range.
In contrast, an employee with no authorizations whose
clearance is INTERNAL_USE_ONLY is able to use the system
as follows:
Works in either a PUBLIC or an INTERNAL_USE_ONLY workspace.
Creates files at either PUBLIC or INTERNAL_USE_ONLY, depending on the employee's current workspace.
Receives and sends email at either sensitivity label.
Can print a file that is labeled PUBLIC on
any printer with PUBLIC in its label range. Can send a
file labeled INTERNAL_USE_ONLY to any printer with INTERNAL_USE_ONLY in its label range.
When the sensitivity label of a printer job contains a group name compartment, the mandatory printer banner and trailer pages print the following text:
Distribute Only To Group Name (Non-Disclosure Agreement Required)
The Print Without Labels authorization allows a user
or role to use the lp -o nolabels option to suppress the
printing of top and bottom labels on body pages of a print job. The Security
Administrator role can give the Print Without Labels authorization
to everyone or to no one.
The Print PostScript File authorization allows a
user to submit a PostScript file to the printer. PostScript printing is usually
not allowed because of the risk that a knowledgeable user can change the labels
in the PostScript file.
To permit technical writers to produce master copies of documents without
labels printed on them, the Security Administrator role gives the Print
Without Labels and Print PostScript File authorizations
to all the writers.
The security administrator creates security policies to enforce the labeling scheme.
The security administrator realizes that anyone with a clearance that
includes the word REGISTERED can access any registered
information anywhere in the company. Further precautions are needed. For example,
users who have REGISTERED in their clearance must be instructed
to use UNIX permissions to protect their files. Permissions should be set
so that only the creator can look at or modify the file. The following example
shows a user who is applying discretionary access control to protect the contents
of a REGISTERED directory.
Example 6.2. Using DAC to Protect Registered Information
%plabelREGISTERED %mkdir registered.dir%chmod 700 registered.dir%cd registered.dir%touch registered.file%ls -l-rwxrwxrwx registered.file %chmod 600 registered.file%ls -l-rw------- registered.file
As shown in the example, the user who creates a file or directory while
working at an sensitivity label of REGISTERED needs to
set the file's permissions to be read and write for
the owner only. Directory permissions are set to be readable,
writable, and searchable only by the owner. These permissions ensure that
another user who can work at REGISTERED cannot read the
file.
The following table shows how printers that are available to various work groups need to be configured.
Table 6.1. Printer Label Range Example Settings in Various Locations
|
Printer Location |
Type of Access |
Label Range |
|---|---|---|
|
Lobby or public meeting room |
Anyone |
|
|
Internal company printer room |
Available to all employees and others who have signed nondisclosure agreements |
|
|
Restricted area for one group |
Members of group specified in the |
|
|
Strictly controlled area |
Available only to people who have the |
|
See Chapter 15, Managing Labeled Printing (Tasks), in Solaris Trusted Extensions Administrator’s Procedures .
People who have access to restricted printers will be instructed to do the following:
Protect information according to the instructions on the printer banner and trailer pages.
Shred jobs that do not have both a banner and a trailer page. Also shred jobs that do not have matching job numbers on the banner and trailer pages.
The worksheet in the following table shows names and hierarchical values
defined for the four classifications. Because the value 0 is reserved for
the administrative ADMIN_LOW label, the value of the PUBLIC classification is set to 1. The values of the other classifications
are set higher in ascending sensitivity.
The names of groups in the labels are specified later, as WORDS in the SENSITIVITY LABELS and CLEARANCES sections.
The following table defines the relationships between words and classifications.
The relationships were determined by moving things around on the planning
board in Figure 6–5. PUBLIC and INTERNAL_USE_ONLY can never appear in a
label with any compartment. NEED_TO_KNOW can appear in
a label with any of the compartments or all of the compartments.
Table 6.3. Compartments and User Accreditation Range Combinations Planner
|
Classification |
Compartment Name/ sname/ Bit |
Combination Constraints |
|---|---|---|
|
|
|
only valid combinations |
|
|
|
only valid combinations |
|
|
|
all combinations valid |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
only valid combinations |
The security administrator uses the following table to keep track of which bits have been used for compartments.
The components of these labels are also assigned to users in clearances. The worksheet's Clearance Planner, Table 6–5, defines the label components to be used in clearances.
Key to Table 6–5:
|
Abbreviation |
Name |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 6.5. Clearance Planner
|
CLASS |
COMP |
COMP |
COMP |
COMP |
COMP |
COMP |
COMP |
COMP |
COMP |
Notes |
|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
Highest, not used *
|
|
|
|
|
|
|
|
|
|
|
|
Assigned to selected personnel as needed **
|
|
|
|
|
|
|
|
|
|
|
|
Assigned to |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Assigned to system administrator |
|
|
|
|
|
|
|
|
|
|
|
Assigned to employees. and others with |
|
|
|
|
|
|
|
|
|
|
|
Assigned to anyone |
* The highest possible label in the system consists of the highest classification and all of the defined compartments. Because no one should be able to access all information in all departments, this label is not in the user accreditation range. No one should be assigned this clearance.
** When working at the REGISTERED sensitivity label,
the user should set permissions to restrict access to everyone except the
owner. File permissions of 600 and directory permissions of 700 restrict access.
The SecCompany legal department wants the following to appear on printer banner and trailer pages.
SecCompany Confidential:
The PRINTER BANNERS can be used to associate a string
with any compartment that appears in the sensitivity label of the print job.
In this encodings, only the NEED_TO_KNOW classification
has compartments. The following table shows how the desired wording is specified
as a prefix and assigned to each compartment. The abbreviation NTK is
assigned to each channel so that the wording in the PRINTER BANNERS section
includes the group name:
SecCompany Confidential: group-name
Table 6.6. SecCompany Printer Banners Planner
|
Prefix |
Printer Banner (Word, No Suffix) |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The SecCompany legal department wants the following handling instructions to appear on printer banner and trailer pages.
DISTRIBUTE ONLY TO group-name EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED)
This goal is met by assigning in the CHANNELS section
the same compartment bits that were assigned to group names earlier in this
example. The SecCompany company plans to use the same group names both in
the compartments and in the channels.
The words that come before the channel name are specified as prefixes and the words that come after the channel name are specified as suffixes. The security administrator specifies prefixes and suffixes in the following worksheets.
Table 6.7. SecCompany Channels Planner
|
Prefix |
Channel |
Suffix |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The following minimums must be set:
Minimum sensitivity label
Minimum clearance
Minimum protect as classification
The SecCompany company wants employees to be able to use all the defined
sensitivity labels. Also, the company wants to be able to assign the PUBLIC clearance to some employees. Therefore, the minimum sensitivity
label and minimum clearance need to be set to PUBLIC.
The minimum protect as classification is printed
on printer banner and trailer pages instead of the actual classification from
the job's sensitivity label. The minimum protect as classification can
be set higher than the actual minimum classification.
However, the SecCompany company requirements allow the minimum protect
as classification to always be equal to the real classification
of the print job's sensitivity label. The security administrator specifies
the value PUBLIC for the minimum sensitivity label, minimum clearance and minimum protect as classification.
The color that is assigned to a label displays in the background whenever
the name of the label appears at the top of a window. The lettering is displayed
in a color that is computed by the window system to complement the background.
In our example, the security administrator chooses to keep the colors already
assigned to the administrative labels in the default label_encodings file.
The administrator assigns green to PUBLIC, yellow to INTERNAL_USE_ONLY, blue to labels that contain NEED_TO_KNOW (with
different shades of blue assigned to each compartment), and red to REGISTERED, as shown in the following table.
Table 6.8. SecCompany Color Names Planner
|
Label or Name ( |
Color |
|---|---|
|
|
#BDBDBD |
|
|
green |
|
|
yellow |
|
|
blue |
|
|
#7FA9EB |
|
|
#87CEFF |
|
|
#00BFFF |
|
|
#7885D0 |
|
|
#7A67CD |
|
|
#7F7FFF |
|
|
#007FFF |
|
|
#0000BF |
|
|
#9E7FFF |
|
|
#5B85D0 |
|
|
#4D658D |
|
|
#5B85D0 |
|
|
red |
|
|
#636363 |