Solaris Trusted Extensions Label Administration
Previous Next

Editing and Installing the label_encodings File

The install team makes a printed copy and an online copy of the installed label_encodings file. The copy is used in case of problems with the new version of the file that the Security Administrator role supplies.

The Security Administrator role uses a text editor to create the label_encodings file, and then uses the Check Encodings action to check the file. If the file passes Check Encodings, the action offers the option of installing the new version. When the Security Administrator role answers Yes, Check Encodings backs up the current version of the label_encodings file, and creates a new label_encodings file.

Encoding the Version

The following example shows the VERSION string that is modified with the name of company, a title, version number, and date.

Example 6-3 SecCompany VERSION Entry
VERSION= SecCompany, Inc. Example Version - 2.2 00/04/18

Encoding the Classifications

The following example shows the SecCompany classifications and values from Table 6-2, Table 6-3 and Table 6-4 added to the CLASSIFICATIONS section.

Example 6-4 SecCompany CLASSIFICATIONS Section
CLASSIFICATIONS:

name= PUBLIC; sname= PUBLIC; value= 1;
name= INTERNAL_USE_ONLY; sname= INTERNAL; aname= INTERNAL; value= 4;
name= NEED_TO_KNOW; sname= NEED_TO_KNOW; aname= NEED_TO_KNOW; value= 5;
name= REGISTERED; sname= REGISTERED; aname= REGISTERED; value= 6;

Note - A classification cannot contain the slash (/), or comma (,) character. The classifications are specified from the lowest value to the highest.


Encoding the Sensitivity Labels

The compartments in the Table 6-3 are encoded in the following example. The labels do not have any required combinations or combination constraints.

Example 6-5 SecCompany WORDS in the SENSITIVITY LABELS Section
SENSITIVITY LABELS:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20;
minclass= NEED_TO_KNOW;
name= EXECUTIVE_MGT_GROUP; sname= EMGT; compartments= 11;
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12;
minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13;
minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14;
minclass= NEED_TO_KNOW;
name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18;
minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the Information Labels

Even though information labels are not used, values must be supplied under the INFORMATION LABELS: WORDS: section for the file to pass the encodings check. The Security Administrator role copies the words from the SENSITIVITY LABELS: WORDS: section, as shown in the following example.

Example 6-6 SecCompany WORDS in the INFORMATION LABELS Section
INFORMATION LABELS:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20;
minclass= NEED_TO_KNOW;
name= EXECUTIVE_MGT_GROUP; sname= EMGT; compartments= 11;
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12;
minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13;
minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14;
minclass= NEED_TO_KNOW;
name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18;
minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19;
minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20; minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the Clearances

Because the clearance words are the same as the sensitivity labels words, the words in the following example are the same as the words in Example 6-5.

Example 6-7 SecCompany WORDS in the CLEARANCES Section
CLEARANCES:

WORDS:

name= ALL_DEPARTMENTS; sname= ALL; compartments= 11-20; minclass= NEED_TO_KNOW;
name= EXECUTIVE_MANAGEMENT_GROUP; sname= EMGT; compartments= 11; 
minclass= NEED_TO_KNOW;
name= SALES; sname= SALES; compartments= 12; minclass= NEED_TO_KNOW;
name= FINANCE; sname= FINANCE; compartments= 13; minclass= NEED_TO_KNOW;
name= LEGAL; sname= LEGAL; compartments= 14; minclass= NEED_TO_KNOW;
name= MARKETING; sname= MKTG; compartments= 15 20; minclass= NEED_TO_KNOW;
name= HUMAN_RESOURCES; sname= HR; compartments= 16; minclass= NEED_TO_KNOW;
name= ENGINEERING; sname= ENG; compartments= 17 20; minclass= NEED_TO_KNOW;
name= MANUFACTURING; sname= MANUFACTURING; compartments= 18; minclass= NEED_TO_KNOW;
name= SYSTEM_ADMINISTRATION; sname= SYSADM; compartments= 19; minclass= NEED_TO_KNOW;
name= PROJECT_TEAM; sname= P_TEAM; compartments= 20;
minclass= NEED_TO_KNOW;

REQUIRED COMBINATIONS:

COMBINATION CONSTRAINTS:

Encoding the Channels

This example is encoded with one channel for each group name compartment. Each channel uses the same compartment bits that are assigned to the compartment words in the SENSITIVITY LABELS: WORDS: section. The prefix is defined as DISTRIBUTE ONLY TO. The suffix is defined as (NON-DISCLOSURE AGREEMENT REQUIRED).

DISTRIBUTE ONLY TO group-name (NON-DISCLOSURE AGREEMENT REQUIRED)

The channel specifications in the following example create the desired wording in the handling instructions section.


Note - The prefixes and suffixes are defined at the top of the section as shown in the following example. No compartments are assigned to them. The prefixes and suffixes are used to define the channels.


Example 6-8 SecCompany WORDS in the CHANNELS Section
CHANNELS:

WORDS:

name= DISTRIBUTE_ONLY_TO;       prefix;
name= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
suffix;

name= EXECUTIVE_MANAGEMENT_GROUP;
prefix= DISTRIBUTE_ONLY_TO; compartments= 11;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SALES; prefix= DISTRIBUTE_ONLY_TO; compartments= 12;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= FINANCE; prefix= DISTRIBUTE_ONLY_TO; compartments= 13;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= LEGAL; prefix= DISTRIBUTE_ONLY_TO; compartments= 14;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MARKETING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 15 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= HUMAN_RESOURCES; prefix= DISTRIBUTE_ONLY_TO;
compartments= 16;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= ENGINEERING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 17 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= MANUFACTURING; prefix= DISTRIBUTE_ONLY_TO;
compartments= 18;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= SYSTEM_ADMINISTRATION; prefix= DISTRIBUTE_ONLY_TO;
compartments= 19;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);
name= PROJECT_TEAM; prefix= DISTRIBUTE_ONLY_TO; compartments= 20;
suffix= EMPLOYEES (NON-DISCLOSURE AGREEMENT REQUIRED);

Encoding the Printer Banners


Note - The term printer banners has a specialized meaning in the label_encodings file. A printer banner appears as a string on the printer banner page when the compartment that is associated with it appears in a job's label.


The printer banner specifications that are shown in the following example create the desired wording in the PRINTER BANNERS section. For a sample banner page, see Figure 4-2.


Note - Prefixes are defined at the top of the section, as shown in the following example. The prefixes have no assigned compartments.


Example 6-9 SecCompany WORDS in the PRINTER BANNERS Section
PRINTER BANNERS:

WORDS:

name= COMPANY CONFIDENTIAL:;       prefix;

name= ALL_DEPARTMENTS; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 11-20;
name= EXECUTIVE_MANAGEMENT_GROUP; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 11;
name= SALES; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 12;
name= FINANCE; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 13;
name= LEGAL; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 14;
name= MARKETING; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 15 20;
name= HUMAN_RESOURCES; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 16;
name= ENGINEERING; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 17 20;
name= MANUFACTURING; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 18;
name= SYSTEM_ADMINISTRATION; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 19;
name= PROJECT_TEAM; prefix= COMPANY CONFIDENTIAL:;
suffix=(NON-DISCLOSURE AGREEMENT REQUIRED); compartments= 20;

Encoding the Accreditation Range

The combination constraints from Table 6-3, and the minimum clearance, minimum sensitivity label and minimum protect as classification from Planning the Minimums in an Accreditation Range are encoded in the ACCREDITATION RANGE: section in the following example. PUBLIC and INTERNAL_USE_ONLY are defined to never appear in a label with any compartment. NEED_TO_KNOW is defined to appear in a label with any combination of compartments. REGISTERED is defined to appear with no compartments.

Example 6-10 SecCompany ACCREDITATION RANGE Section
ACCREDITATION RANGE:

classification= PUBLIC; only valid compartment combinations:

PUBLIC

classification= INTERNAL_USE_ONLY; only valid compartment combinations:

INTERNAL

classification= NEED_TO_KNOW; all compartment combinations valid;

classification= REGISTERED; only valid compartment combinations:

REGISTERED


minimum clearance= PUBLIC;
minimum sensitivity label= PUBLIC;
minimum protect as classification= PUBLIC;

Encoding the Local Definitions

SecCompany, Inc. encodes site column headers and colors in the LOCAL DEFINITIONS section.

Encoding the Column Headers in Label Builders

Label builders are displayed whenever you need to set a label. The following example shows the modifications that changed the default values for the Classification Name and Compartments Name in the label builders.

Example 6-11 SecCompany Headers in label_encodings File

The following excerpt shows the modifications that changed the column headers in the label builders. The SecCompany Security Administrator role modified the compartment name.

Classification Name= Classification;
Compartments Name= Department;

Encoding the Color Names

The color names that are used in Example 6-12 were taken from the worksheet in Table 6-8.

Example 6-12 SecCompany COLOR NAMES Section
COLOR NAMES:

        label= Admin_Low;       color= #bdbdbd;

        label= PUBLIC;        color= green;
        label= INTERNAL_USE_ONLY;  color= yellow;
        label= NEED_TO_KNOW;  color= blue;
        label= NEED_TO_KNOW EMGT;  color= #7FA9EB;
        label= NEED_TO_KNOW SALES;  color= #87CEFF;
        label= NEED_TO_KNOW FINANCE;  color= #00BFFF;
        label= NEED_TO_KNOW LEGAL;  color= #7885D0;
        label= NEED_TO_KNOW MKTG;  color= #7A67CD;
        label= NEED_TO_KNOW HR;  color= #7F7FFF;
        label= NEED_TO_KNOW ENG;  color= #007FFF;
        label= NEED_TO_KNOW MANUFACTURING;  color= #0000BF;
        label= NEED_TO_KNOW PROJECT_TEAM;  color= #9E7FFF;
        label= NEED_TO_KNOW SYSADM; color= #5B85D0;
        label= NEED_TO_KNOW ALL; color= #4D658D;
        label= REGISTERED;  color= red;

        label= Admin_High;      color= #636363;

*
* End of local site definitions
Previous Next