When MLS is active on an CA Top Secret system, the user security label is assigned by CA Top Secret to a UNIX file or directory at the time it is created/allocated.
However, if MLS is not active on the system at the time the UNIX files and directories are created, but is later turned on, these objects will not have security labels. As a result, the security administrator should provide security labels for any existing UNIX files and directories that do not have them by issuing the UNIX chlabel shell command; otherwise, if the MLS option to require security labels for UNIX files and directories is active (MLFSOBJ(YES)), all accesses to these files and directories by users will be denied by CA Top Secret.
Impotant! The UNIX chlabel command many only be issued in a zFS file system. It will not work in an HFS file system. Once a file or directory has been assigned a security label, it cannot be deleted or changed with the chlabel command.
The following table lists the security labels that are recommended for UNIX files, directories, and symbolic links that have not been assigned security labels by the system.
|
Directory/File |
Security Label |
|---|---|
|
/bin and contents |
SYSLOW |
|
/lib and contents |
SYSLOW |
|
root |
SYSMULTI |
|
root, symbolic links in: /tmp, /dev, /etc, /var |
SYSLOW |
|
/samples |
SYSLOW |
|
/SYSTEM |
SYSMULTI |
|
/SYSTEM/tmp mountpoint |
SYSMULTI |
|
/SYSTEM/dev mountpoint |
SYSMULTI |
|
/SYSTEM/etc mountpoint |
SYSMULTI |
|
/SYSTEM/var mountpoint |
SYSMULTI |
|
/SYSTEM, symbolic links in: /SYSYTEM /tmp, /SYSTEM /dev, /SYSTEM /etc, /SYSTEM /var |
SYSLOW |
|
/u |
SYSMULTI |
|
/u, symbolic link for security label substitution |
SYSLOW |
|
/u/seclabel mountpoint directories |
Seclabel |
|
/usr and contents |
SYSLOW |
|
/usr/lpp and contents |
SYSLOW |
|
/usr/man and contents |
SYSLOW |
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|