Understanding Labels
The Solaris Trusted Extensions software provides a set of policies and services
to extend the security features of the Solaris OS. These extensions provide
access control that is based on label relationships.
Labels control access to data and maintain the classification of data. The
labels are attributes that are interpreted by the system security policy. The
system security policy is the set of rules that is enforced by system software
to protect information that is being processed on the system. The term
security policy can refer to the policy itself or to the implementation of
the policy. For more information, see Trusted Extensions Security Policy.
This section includes overview information about label types, ranges, components, and relationships.
Label Types
The Trusted Extensions software defines two types of labels: sensitivity labels and
clearance labels. A sensitivity label indicates the security level of an entity and
is usually referred to as a label. A clearance label defines the upper
boundary of a label range and is usually referred to as a
clearance.
Sensitivity Labels
The Trusted Extensions software uses zones to contain classified information at various
levels. Each level is associated with its own zone that has a
sensitivity label. The sensitivity label specifies the sensitivity of the information in
that zone and is applied to all of the subjects and objects
in that zone. A label might be something like CONFIDENTIAL, SECRET, or
TOP SECRET. A subject is an active entity, such as a process, that
causes information to flow among objects or changes a system's state. An
object is a passive entity that contains or receives data, such as
a file or device. All processes that run in a zone, all
files that are contained in a zone, and so on, have the
same sensitivity label as their zone. All processes and objects have a
sensitivity label that is used in mandatory access control (MAC) decisions. By
default, sensitivity labels are visible in the windowing system.
Clearance Labels
The security administrator assigns a clearance to each user. A clearance is
a label that defines the upper boundary of a label range. For
example, if you have a clearance of SECRET, you can access information
that is classified at this level or lower, but not information that
is classified at a higher level. A user clearance is assigned by the
security administrator. It is the highest label at which a user can
access files and initiate processes during a session. In other words, a
user clearance is the upper boundary of a user's account label range.
At login, a user selects his session clearance. The session clearance determines which
labels a user can access. The session clearance sets the least upper bound at
which the user can access files and initiate processes during that login
session. The session clearance is dominated by the user clearance.
Label Ranges
The security administrator defines label ranges and label sets to enforce mandatory access control
(MAC) policy. A label range is a set of labels that is bounded
at the upper end by a clearance or a limit and at
the lower end by a minimum label. A label limit is the upper
bound of a label range. A label set contains one or more discrete
labels that might be disjoint from one another. Labels in a label
set do not dominate one another.
Label Components
A label contains a hierarchical classification and a set of zero or
more nonhierarchical compartments. A classification is also referred to as a level
or a security level. A classification represents a single level within a
hierarchy of labels, for example, TOP SECRET or UNCLASSIFIED. A compartment is associated
with a classification and represents a distinct, nonhierarchical area of information in
a system, such as private information for a human resources (HR) group
or a sales group. A compartment limits access only to users who
need to know the information in a particular area. For example, a
user with a SECRET classification only has access to the secret information
that is specified by the associated list of compartments, not to any
other secret information. The classification and compartments together represent the label of
the zone and the resources within that zone.
The textual format of a classification is specified in the label_encodings file
and appears similar to this:
CLASSIFICATIONS:
name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 190-239;
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;
The textual format of a compartment is specified in the label_encodings file
and appears similar to this:
WORDS:
name= HR; minclass= C; compartments= 0;
For more information about label definitions and label formats, see Solaris Trusted Extensions Label Administration and
Compartmented Mode Workstation Labeling: Encodings Format. For information about the label APIs, see Chapter 2, Labels and Clearances.
Label Relationships
Comparing labels means that the label of a process is compared to
the label of a target, which might be a sensitivity label or
a clearance label. Based on the result of the comparison, the process
is either granted access or denied access to the object. Access is
granted only when the label of the process dominates the label of
the target. Label relationships and dominance are described later in this section.
For examples, see Determining the Relationship Between Two Labels.
A security level is a numerical classification. A label indicates the security level
of an entity and might include zero or more compartments. An entity
is something that can be labeled, such as a process, zone, file,
or device.
Labels are of the following types and relate to each other in
these ways:
Equal – When one label is equal to another label, both of these statements are true:
Dominant – When one label dominates another label, both of these statements are true:
Strictly dominant – When one label strictly dominates another label, both of these statements are true:
Disjoint – When one label is disjoint with another label, both of these statements are true:
The label_encodings file is used to specify the classifications and compartments for
labels. See the label_encodings(4) man page.
When any type of label has a security level that is equal
to or greater than the security level of a second label, the
first label is said to dominate the second label. This comparison of
security levels is based on classifications and compartments in the labels. The
classification of the dominant label must be equal to or greater than
the classification of the second label. Additionally, the dominant label must include
all the compartments in the second label. Two equal labels are said
to dominate each other.
In the following sample excerpt of the label_encodings file, the REGISTERED (REG)
label dominates the CONFIDENTIAL (C) label. The comparison is based on the
value of each label's value keyword. The value of the REG label's
value keyword is numerically greater than or equal to the value of
the C label's value keyword. Both labels dominate the PUBLIC (P) label.
The value of the initial compartments keyword shows the list of compartments that
are initially associated with the classification. Each number in the initial compartments keyword
is a compartment bit, each of which represents a particular compartment.
CLASSIFICATIONS:
name= PUBLIC; sname= P; value= 1;
name= CONFIDENTIAL; sname= C; value= 4; initial compartments= 4-5 190-239;
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;
The following label_encodings excerpt shows that the REG HR label (Human Resources) dominates
the REG label. The REG HR label has the REGISTERED classification and the
HR compartment. The compartments keyword for the HR compartment sets the 0
compartment bit, so the REG HR classification has compartments 0, 4–5, and 190–239
set, which is more than the compartments set by the REG classification.
CLASSIFICATIONS:
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;
...
WORDS:
name= HR; minclass= C; compartments= 0;
Sometimes, strict dominance is required to access an object. In the previous
examples, the REG label strictly dominates the P label, and the REG HR
label strictly dominates the REG label. When comparing labels, a REG label
dominates another REG label.
Labels that do not dominate each other are said to be disjoint.
A disjoint label might be used to separate departments in a company.
In the following example, the REG HR label (Human Resources) is defined as
being disjoint from the REG Sales label. These labels are disjoint because each
compartment sets a different compartment bit.
CLASSIFICATIONS:
name= REGISTERED; sname= REG; value= 6; initial compartments= 4-5 190-239;
...
WORDS:
name= HR; minclass= C; compartments= 0;
name= Sales; minclass= C; compartments= 1;
For information about label APIs, see Sensitivity Label APIs.