label_encodings(4) File Formats label_encodings(4)NAMElabel_encodings - label encodings file
SYNOPSIS
/etc/security/tsol/label_encodings
DESCRIPTION
The label_encodings file is a standard encodings file of security
labels that are used to control the conversion of human-readable labels
into an internal format, the conversion from the internal format to a
human-readable canonical form, and the construction of banner pages for
printed output. On a Solaris Trusted Extensions system, the
label_encodings file is protected at the label admin_high. The file
should be edited and checked by the security administrator using the
Check Label Encodings action in the System_Admin folder in the Applica‐
tion Manager.
In addition to the required sections of the label encodings file that
are described in Compartmented Mode Workstation Labeling: Encodings
Format, a Solaris Trusted Extensions system accepts optional local
extensions. These extensions provide various translation options and an
association between character-coded color names and sensitivity labels.
The optional local extensions section starts with the LOCAL DEFINI‐
TIONS: keyword and is followed by zero or more of the following
unordered statements:
DEFAULT USER SENSITIVITY LABEL= sensitivity label
This option specifies the sensitivity label to use as the user's
minimum sensitivity label if none is defined for the user in the
administrative databases. The default value is the MINIMUM SENSI‐
TIVITY LABEL= value from the ACCREDITATION RANGE: section of the
label encodings file.
DEFAULT USER CLEARANCE= clearance
This option specifies the clearance to use as the user's clearance
if none is defined for the user in the administrative databases.
The default value is the MINIMUM CLEARANCE= value from the ACCREDI‐
TATION RANGE: section of the label encodings file.
The final part of the LOCAL DEFINITIONS: section defines the character-
coded color names to be associated with various words, sensitivity
labels, or classifications. This section supports the
str_to_label(3TSOL) function. It consists of the COLOR NAMES: keyword
and is followed by zero or more color-to-label assignments. Each state‐
ment has one of the following two syntaxes:
word= word value; color= color value;
label= label value; color= color value;
where color value is a character−coded color name to be associated with
the word word value, or with the sensitivity label label value, or with
the classification label value.
The character−coded color name color value for a label is determined by
the order of entries in the COLOR NAMES: section that make up the
label. If a label contains a word word value that is specified in this
section, the color value of the label is the one associated with the
first word value specified. If no specified word word value is con‐
tained in the label, the color value is the one associated with an
exact match of a label value. If there is no exact match, the color
value is the one associated with the first specified label value whose
classification matches the classification of the label.
EXAMPLES
Example 1 A Sample LOCAL DEFINITIONS: Section
LOCAL DEFINITIONS:
DEFAULT USER SENSITIVITY LABEL= C A;
DEFAULT USER CLEARANCE LABEL= S ABLE;
COLOR NAMES:
label= Admin_Low; color= Pale Blue;
label= unclassified; color= light grey;
word= Project A; color= bright blue;
label= c; color= sea foam green;
label= secret; color= #ff0000; * Hexadecimal RGB value
word= Hotel; color= Lavender;
word= KeLO; color= red;
label= TS; color= khaki;
label= TS Elephant; color= yellow;
label= Admin_High; color= shocking pink;
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬───────────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼───────────────────────────────────┤
│Availability │SUNWtsr │
├─────────────────────────────┼───────────────────────────────────┤
│Interface Stability │Mixed. See INTERFACE LEVEL, above. │
└─────────────────────────────┴───────────────────────────────────┘
FILES
/etc/security/tsol/label_encodings
The label encodings file contains the classification names, words,
constraints, and values for the defined labels of this system. It
is protected at the label admin_high.
DIAGNOSTICS
The following diagnostics are in addition to those found in Appendix A
of Compartmented Mode Workstation Labeling: Encodings Format:
Can't allocate NNN bytes for color names table.
The system cannot dynamically allocate the memory it needs to
process the COLOR NAMES: section.
Can't allocate NNN bytes for color table entry.
The system cannot dynamically allocate the memory it needs to
process a Color Table entry.
Can't allocate NNN bytes for color word entry.
The system cannot dynamically allocate the memory it needs to
process a Color Word entry.
Can't allocate NNN bytes for DEFAULT USER CLEARANCE.
The system cannot dynamically allocate the memory it needs to
process the DEFAULT USER CLEARANCE.
Can't allocate NNN bytes for DEFAULT USER SENSITIVITY LABEL.
The system cannot dynamically allocate the memory it needs to
process the DEFAULT USER SENSITIVITY LABEL.
DEFAULT USER CLEARANCE= XXX is not in canonical form. Is YYY what is
intended?
This error occurs if the clearance specified, while understood, is
not in canonical form. This additional canonicalization check
ensures that no errors are made in specifying the clearance.
DEFAULT USER SENSITIVITY LABEL= XXX is not in canonical form. Is YYY
what is intended?
This error occurs if a sensitivity label specified, while under‐
stood, is not in canonical form. This additional canonicalization
check ensures that no errors are made in specifying the sensitivity
label.
Duplicate DEFAULT USER CLEARANCE= ignored.
More than one DEFAULT USER CLEARANCE= option was encountered. All
but the first are ignored.
Duplicate DEFAULT USER SENSITIVITY LABEL= ignored.
More than one DEFAULT USER SENSITIVITY LABEL= option was encoun‐
tered. All but the first are ignored.
End of File not found where expected. Found instead: XXX.
The noted extraneous text was found when the end of label encodings
file was expected.
End of File or LOCAL DEFINITIONS: not found. Found instead: XXX.
The noted extraneous text was found when the LOCAL DEFINITIONS:
section or end of label encodings file was expected.
Found color XXX without associated label.
The color XXX was found, however it had no label or word associated
with it.
Invalid color label XXX.
The label XXX cannot be parsed.
Invalid DEFAULT USER CLEARANCE XXX.
The DEFAULT USER CLEARANCE XXX cannot be parsed.
Invalid DEFAULT USER SENSITIVITY LABEL XXX.
The DEFAULT USER SENSITIVITY LABEL XXX cannot be parsed.
Label preceding XXX did not have a color specification.
A label or word was found without a matching color name.
Word XXX not found as a valid Sensitivity Label word.
The word XXX was not found as a valid word for a sensitivity label.
SEE ALSOchk_encodings(1M), label_to_str(3TSOL), str_to_label(3TSOL),
attributes(5), labels(5)
Solaris Trusted Extensions Label Administration
Defense Intelligence Agency document DDS-2600-6216-93, Compartmented
Mode Workstation Labeling: Encodings Format, September 1993.
WARNINGS
Creation of and modification to the label encodings file should only be
undertaken with a thorough understanding not only of the concepts in
Compartmented Mode Workstation Labeling: Encodings Format, but also of
the details of the local labeling requirements.
The following warnings are paraphrased from Compartmented Mode Worksta‐
tion Labeling: Encodings Format.
Take extreme care when modifying a label encodings file that is already
loaded and running on a Solaris Trusted Extensions system. Once the
system runs with the label encodings file, many objects are labeled
with sensitivity labels that are well formed with respect to the loaded
label encodings file. If the label encodings file is subsequently
changed, it is possible that the existing labels will no longer be
well-formed. Changing the bit patterns associated with words causes
existing objects whose labels contain the words to have possibly
invalid labels. Raising the minimum classification or lowering the max‐
imum classification that is associated with words will likely cause
existing objects whose labels contain the words to no longer be well-
formed.
Changes to a current encodings file that has already been used should
be limited only to adding new classifications or words, changing the
names of existing words, or modifying the local extensions. As
described in Compartmented Mode Workstation Labeling: Encodings Format,
it is important to reserve extra inverse bits when the label encodings
file is first created to allow for later expansion of the label encod‐
ings file to incorporate new inverse words. If an inverse word is added
that does not use reserved inverse bits, all existing objects on the
system will erroneously have labels that include the new inverse word.
NOTES
The functionality described on this manual page is available only if
the system is configured with Trusted Extensions.
This file is part of the Defense Intelligence Agency (DIA) Mandatory
Access Control (MAC) policy and might be meaningful only for the DIA
MAC policy. This file might not be applicable to other Mandatory poli‐
cies that might be developed for future releases of Solaris Trusted
Extensions software. Parts of it are obsolete and retained for ease of
porting. The obsolete parts might be removed in a future Solaris
Trusted Extensions release.
Parts of the label_encodings file are considered standard and are con‐
trolled by Defense Intelligence Agency document DDS-2600-6216-93, Com‐
partmented Mode Workstation Labeling: Encodings Format, September 1993.
Of that standard, the parts that refer to the INFORMATION LABELS: and
NAME INFORMATION LABELS: sections are Obsolete. However, the INFORMA‐
TION LABELS: section must be present and syntactically correct. It is
ignored. The NAME INFORMATION LABELS: section is optional. If present,
it is ignored but must be syntactically correct.
Defining the label encodings file is a three-step process. First, the
set of human-readable labels to be represented must be identified and
understood. The definition of this set includes the list of classifica‐
tions and other words that are used in the human-readable labels, rela‐
tions between and among the words, classification restrictions that are
associated with use of each word, and intended use of the words in
mandatory access control and labeling system output. Next, this defini‐
tion is associated with an internal format of integers, bit patterns,
and logical relationship statements. Finally, a label encodings file
is created. The Compartmented Mode Workstation Labeling: Encodings For‐
mat document describes the second and third steps, and assumes that the
first has already been performed.
The following values in the optional LOCAL DEFINITIONS: section are
obsolete. These values might only affect the obsolete bltos(3TSOL)
functions, and might be ignored by the label_to_str(3TSOL) replacement
function:
o ADMIN LOW NAME=
o ADMIN HIGH NAME=
o DEFAULT LABEL VIEW IS EXTERNAL
o DEFAULT LABEL VIEW IS INTERNAL
o DEFAULT FLAGS=
o FORCED FLAGS=
o CLASSIFICATION NAME=
o COMPARTMENTS NAME=
SunOS 5.10 20 Jul 2007 label_encodings(4)