Using Security Labels

In an MLS system, most users use a security label only when they log on to the system or submit a job. The rest of the time, security labels are read, decoded, and applied by CA Top Secret and the system. Security administrators can create and assign security labels based on their organization's security policy. In addition, depending on what MLS system options have been set, CA Top Secret will assign a security label to data when it is created.
ctsfz
In an MLS system, most users use a security label only when they log on to the system or submit a job. The rest of the time, security labels are read, decoded, and applied by CA Top Secret and the system. Security administrators can create and assign security labels based on their organization's security policy. In addition, depending on what MLS system options have been set, CA Top Secret will assign a security label to data when it is created.
When MLS is active in CA Top Secret, MAC security label checking is performed before DAC access rule checking, except in the case of system entry where a user must be identified to the system before label validation can be performed.
  • If MAC allows an access, a request must still pass through DAC validations to ultimately allow or deny access.
  • If MAC denies access, the request is denied and does not go through DAC validations.
CA Top Secret determines MAC access based on the dominance relationship between the label of the object and the label of the subject that is trying to access the object. The factors that CA Top Secret uses to determine the dominance relationship are:
  • Simple security property
  • Confinement property (*-Property)