Importing and exporting information is one of the main functions of a computer system. Whenever data enters the computer, it is considered to have been imported from somewhere, whether from the keyboard, the tape drive, or other input device. Anytime the system produces information, such as via a printer or a write action to a tape or floppy disk, an export is considered to have occurred. This chapter describes the restrictions associated with using printers and removable media under Trusted IRIX/CMW.
Sections in this chapter include:
Printing under Trusted IRIX/CMW requires no special resources. Except where noted in this chapter, printing operates exactly as described in your standard IRIX documentation. The lp command behaves differently from its IRIX counterpart. You are encouraged to read the lp(1) reference page before using this command.
Trusted IRIX/CMW meets the requirement for B1-level systems for labeled printing. Each page of printed output carries the label of the printing process at the top and bottom of the page. The system intercepts the output of a print request before it is sent to the printer and ensures that appropriate banner pages and individual page labels are produced. Your system administrator will tell you which commands to use to print your files.
Under Trusted IRIX/CMW, access to the tape device is administratively controlled. The system administrator must take specific steps to ensure that the tape device is properly configured for your use before you insert the tape in the drive. The procedures required of the administrator are described in the Trusted IRIX/CMW Security Administration Guide.
Notify your system administrator that you need to use the tape device and provide the security label of the information you wish to archive and the label your process will have while you use the tape device. The administrator will then have to change the security label of the tape device for you before you can begin. When you are done, the administrator will change the label of the tape drive back to its default. The default label for the tape device is dbadmin, which is accessible only by the administrative accounts.
Your site may have specific policies regarding the secure handling of tapes, particularly in the area of human-readable “sticky” labels. Your site may require that tapes be handled only by the operator, or you may be allowed to do so yourself.
Once you have made your tape, you must write the security classification and categories, as well as any MINT grades and divisions on it, and handle and store the tape according to your site's security policies.
Check the local policy with your system administrator before attempting to physically mount a tape.
The basic rules most sites follow for tape handling include:
Storing the tapes in a locked room, sorted according to security label.
Limiting access to the tape storage area to people with the highest security clearances.
Disposing of used tapes in a secure manner, after they have been erased and verified that no information remains readable on the tape. Sometimes tapes are destroyed by burning.
B1 systems are required to provide for labeled magnetic tape archives. Trusted IRIX/CMW meets this requirement by providing the new M keyword to the tar command. This keyword directs tar to maintain the security labels, access control lists, and capability requirements on all files placed on the tape. To recover files from the tape, use tar with the M keyword. Restoring tapes with files of differing labels requires special capabilities.
Always remember that it is still possible to make unlabeled tapes using tar without the M keyword. Also, using tar to extract labeled files without the M keyword will result in the loss of label and other security data.
CD-ROM devices may be mounted on a Trusted IRIX/CMW system. The mount point /CDROM is installed with the wildcard MAC label, so that all files on the CD-ROM are visible to all users. (CD-ROMs are usually built with EFS or ISO9660 filesystems, which do not support labels by default.)
If CD-ROMs with xfs filesystems and MAC labels are used on a Trusted IRIX/CMW system, the /CDROM directory should be labeled the same as the tape devices.