Implementing and Administering an Multilevel Secure System › Assign Security Labels to Objects
Assign Security Labels to Objects
In an MLS environment, after defining and creating security levels, categories and security labels and activating them, an authorized security administrator can assign defined security labels to objects in the system, such as data sets, UNIX files, directories, symbolic links, IPC objects, and other kinds of resources.
In an MLS environment, there are two ways that security labels can be assigned to data, depending on whether or not write-down protection is enabled on a system and whether or not the data is being newly created or previously existed before write-down protection was enabled:
- If the MLWRITE(NO) control option is set and write-down is not allowed, when data is created, CA Top Secret will assign to it the session security label of the user who created the data. The security label assigned is stored in an MLS data record, which can never be modified, only viewed or deleted. Once data has been labeled in this way, to reclassify it by assigning a different security label, a security administrator must create an MLS record for the data set with the changed security label. A security administrator can issue REMOVE or LIST commands to delete or view the security label that CA Top Secret-assigned to a new data set in the MLS record
- If the MLWRITE(YES) control option is set and write-down is allowed, when data is created, CA Top Secret will NOT assign to it a security label. Instead, if the data should be classified, a security administrator must create an MLS data record for the data set.
Copyright © 2010 CA Technologies.
All rights reserved.
|
|