test

Trusted Solaris Installation and Configuration

Glossary

access control list

One type of discretionary access control based on a list of entries that the owner can specify for a file or directory. An access control list (ACL) can restrict or permit access to any number of individuals and groups, allowing finer-grained control than provided by the standard UNIX permission bits.

accreditation range

A set of sensitivity labels that are approved for a class of users or resources. See also workstation accreditation range and user accreditation range.

ACL

See access control list.

accreditation range

A set of valid labels. See accreditation range and user accreditation range for more about the two types of accreditation ranges in the Trusted Solaris environment.

administrative role

A role that in the Trusted Solaris environment gives required authorizations, privileged commands, and the Trusted Path security attribute to allow the role to perform part of Solaris superuser's capabilities, such as backup or auditing.

advisory label

See information label.

allocation

A device to which access is controlled in the Trusted Solaris environment by making the device allocatable to a single user at a time. Allocatable devices include tape drives, floppy drives, audio devices, and CDROM devices. See device allocation.

allowed privilege set

The allowed set of privileges limits which privileges a process can use. A process that runs a program that has a forced privilege set limits that program to the forced privileges that are also in the process' allowed privilege set.

authorization

A right granted to a user or role to perform an action that would otherwise not be allowed by the Trusted Solaris security policy. Authorizations are granted in execution profiles. Certain commands require the user to have certain authorizations to succeed. Similar to the use of privilege on programs.

application search path

In CDE the search path used by the system to find applications and certain configuration information. The application search path is controlled by a trusted role.

AutoClient system

A system type that caches all of its needed system software from an OS server. Because it contains no permanent data, an AutoClient is a field replaceable unit (FRU). It requires a small local disk for swapping and for caching its individual root (/) and /usr file systems from an OS server. Trusted Solaris does not support autoclients.

begin script

A user-defined Bourne shell script, specified within the rules file, that performs tasks before the Trusted Solaris software is installed on the system. Begin scripts can be used only with custom JumpStart installations.

bootparams file

A file that is consulted when a workstation boots. In Trusted Solaris, the bootparams file contains a keyword=value entry that points the boot server to the Trusted Solaris label configuration for the workstation. A workstation can have a local bootparams file (/etc/bootparams), or it can use the bootparams NIS+ table. See bootparams(4).

boot server

A server that provides boot services to workstations on the same subnet. A boot server is required if you plan to push Trusted Solaris information from a central location to every workstation in the system. If the install server is on a different subnet than the workstations that need to install the Trusted Solaris software, you must create a boot server for that subnet.

CDE

See Common Desktop Environment.

clearance

The upper bound of the set of labels at which a user may work, whose lower bound is the minimum label assigned by the security administrator. There are two types of clearance, the session clearance and the user clearance.

client

A workstation connected to a network.

closed network

A closed network is a network of Trusted Solaris workstations that is cut off from any non-Trusted Solaris workstation. The cutoff can be physical, where there is no wire that extends past the Trusted Solaris network. The cutoff can be in the software, where the Trusted Solarisworkstations recognize only Trusted Solarisworkstations. Data entry from outside the network is restricted to peripherals attached to Trusted Solarisworkstations.

cluster

A logical grouping of software packages. The Trusted Solaris software is divided into four main software groups, which are each composed of clusters and packages.

CMW label

Consists of an ADMIN_LOW information label followed by a sensitivity label in brackets, in the form: ADMIN_LOW [SENSITIVITY LABEL].

Common Desktop Environment

The required windowing environment for administering the Trusted Solaris software.

.copy_files

An optional setup file in a multilabel environment. The file contains the names of startup files, such as .cshrc or .netscape, that the user environment or user applications require in order for the environment or application to behave well. The files referenced in .copy_files are then copied to the user's home directory at other labels, when those directories are created. See also .link_files.

core

A software group that contains the minimum software required to boot and run the Solaris operating environment on a system. It includes some networking software and the drivers required to run the OpenWindows environment; it does not include the windowing software. Trusted Solaris does not offer a core software group, since the Common Desktop Environment is the required administration environment.

core file

A file that contains a picture of the state of a system when it crashed. Also called a core dump.

custom JumpStart installation

A type of installation in which the Trusted Solaris software is automatically installed on a system based on a customized profile. You can customize profiles for different types of users.

DAC

See discretionary access control.

derived profile

A profile that is dynamically created by a begin script during a custom JumpStart installation.

device

Devices include printers, workstations, tape drives, floppy drives, audio devices, and internal pseudo terminal devices. Devices are subject to the read equal write equal MAC policy.

device allocation

A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. Until a device is deallocated, no one but the user who allocated a device can access any information associated with the device. For a user to allocate a device, that user must have been granted the device allocation authorization by the security administrator.

developer system support

A software group that contains the End User System Support software group plus the libraries, include files, man pages, and programming tools for developing software.

discretionary access control

The type of access granted or denied by the owner of a file or directory at the discretion of the owner. The Trusted Solaris environment provides two kinds of discretionary access controls (DAC): permission bits and access control list.

disk configuration file

A file that represents a structure of a disk (for example, bytes/sector, flags, slices). Disk configuration files enable you to use pfinstall from a single system to test profiles on different sized disks.

domain

A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.

domain address

IP address whose last number is 0.

domain name

The identification of a group of systems on a local network. A domain name consists of a sequence of component names separated by periods (for example: tundra.mpk.ca.us). As you read a domain name from left to right, the component names identify more general (and usually remote) areas of administrative authority.

end user system support

A software group that contains the core software group plus the recommended software for an end user, including OpenWindows and DeskSet software.

entire distribution

A software group that contains the entire Trusted Solaris release.

entire distribution plus OEM support

A software group contains the entire Trusted Solaris release, plus additional hardware support for OEMs. This software group is recommended when installing Trusted Solaris software on servers.

EISA

Extended Industry Standard Architecture. A type of bus on x86 systems. EISA bus standards are "smarter" that ISA bus systems, and attached devices can be automatically detected when they have been configured via the "EISA configurator" program supplied with the system. See ISA.

/etc

A directory that contains critical system configuration files and maintenance commands.

evaluated configuration

One or more Trusted Solaris workstations which are running in a configuration that has been certified as meeting specific criteria by a certification authority. In the United States, those criteria are the TCSEC and the evaluating and certifying body is the NSA. Trusted Solaris 8 will be certified to the Common Criteria v2.1 [August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles which provide functionality similar to the TCSEC C2 and B1 levels, with some additional functionality.

One or more Trusted Solaris workstations which are running in a configuration that has been certified as meeting specific criteria by a certification authority. Trusted Solaris 8 will be certified to the Common Criteria v2.1 [published in August 1999], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles. The Common Criteria v2 (CCv2) and protection profiles make the earlier TCSEC U.S. standard obsolete through level B1+. A mutual recognition agreement for CCv2 has been signed by the United States, the United Kingdom, Canada, the Netherlands, Germany, and France.

The Trusted Solaris 8 configuration target provides functionality similar to the TCSEC C2 and B1 levels, with some additional functionality.

execution profile

Renamed rights profiles in the Solaris 8 release. A bundling mechanism for commands and CDE actions and for the security attributes assigned to the commands and CDE actions. Rights profiles allow Trusted Solaris administrators to control who can execute which commands and to control the attributes these commands have when they are executed. When a user logs in, all rights assigned to that user are in effect, and the user has access to all the commands, CDE actions, and authorizations assigned in all of that user's rights profiles.

/export

A file system on an OS server that is shared with other systems on a network. For example, the /export file system can contain the home directories for users on the network.

fdisk partition

A logical partition of a disk drive dedicated to a particular operating system on x86 systems. During the Solaris installation program, you must set up at least one Solaris fdisk partition on an x86 system. x86 systems are designed to support up to four different operating systems on each drive; each operating system must reside on a unique fdisk partition.

file server

A server that provides the software and file storage for systems on a network.

file privilege set

These sets are the allowed and forced privileges specified for use by executable files (programs). The allowed set limits which privileges a process can use, whether the privileges are forced on the executable file or inherited (see inheritable privileges). Any privileges in the forced privilege set are available to any process that invokes the program, as long as they are also in the allowed set.

file system

A collection of files and directories that, when set into a logical hierarchy, make up an organized, structured set of information. File systems can be mounted from your local system or a remote system.

finish script

A user-defined Bourne shell script, specified within the rules file, that performs tasks after the Trusted Solaris software is installed on the system, but before the system reboots. Finish scripts can be used only with JumpStart installations.

forced privilege set

The forced set of privileges are those placed on a file by the security administrator. Any privileges in the forced privilege set are available to any process that invokes the program, as long as they are also in the allowed privilege set.

GFI

Government Furnished Information. In this manual, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Solaris software, you must add the Sun-specific LOCAL DEFINITIONS section to the end of the GFI. Trusted Solaris Label Administration explains the procedure in detail.

host name

The name by which a system is known to other systems on a network. This name must be unique among all the systems within a given domain (usually, this means within any single organization). A host name can be any combination of letters, numbers, and minus sign (-), but it cannot begin or end with a minus sign.

IA

Intel Architecture.

information label

A label that signifies the actual security level of the information contained in a file or directory, and which may be used in deciding whether to downgrade the sensitivity label of the file or directory, how to physically label information stored on backup media, and how to handle printed output or mail. Also known as an advisory label. Trusted Solaris 7 and later releases no longer support information labels.

inheritable privilege

The privileges that a process can pass to a program across an execve() without their being affected by the new program's forced or allowed privilege sets. When a new program is executed by a process, the inheritable set of the process is set to be equal to the inheritable set of the old program. The inheritable set is not affected by the forced or allowed privileges on the currently executing program, which allows privileges to be passed from programs that cannot use them to programs that can.

initial label

The minimum label assigned to a user or role, and the label of the user's initial workspace. It is the lowest label at which the user or role can work.

initial installation option

An option presented during the Trusted Solaris installation program that overwrites the disk(s) with the new version of Trusted Solaris. The initial installation option is the only installation option supported in the Trusted Solaris release.

install server

A server that provides the Trusted Solaris installation image for other systems on a network to boot and install from (also known as a media server). The Trusted Solaris installation image can reside on the install server's CDROM drive or hard disk.

install team

A team of at least two people who together oversee the installation of a Trusted Solaris workstation. One team member is responsible for security decisions, and the other for system administration decisions.

interactive installation

A type of installation where you have full hands-on interaction with the Trusted Solaris installation program to install the Trusted Solaris software on a system.

IP address

Internet protocol address. A unique number that identifies a networked system so it can communicate via Internet protocols. It consists of four numbers separated by periods. Most often, each part of the IP address is a number between 0 and 225; however, the first number must be less than 224 and the last number cannot be 0.

IP addresses are logically divided into two parts: the network (similar to a telephone area code), and the system on the network (similar to a phone number).

ISA

Industry Standard Architecture. A type of bus found in x86 systems. ISA bus systems are "dumb" and provide no mechanism the system can use to detect and configure devices automatically. See EISA.

JumpStart directory

When using a diskette for custom JumpStart installations, the JumpStart directory is the root directory on the diskette that contains all the essential custom JumpStart files. When using a server for custom JumpStart installations, the JumpStart directory is a directory on the server that contains all the essential custom JumpStart files.

JumpStart installation

A type of installation in which the Solaris software is automatically installed on a system by using factory-installed JumpStart software. The Trusted Solaris release does not offer this option; all JumpStart installations in Trusted Solaris are custom JumpStart installations.

kernel architecture

See platform group.

label

A security identifier assigned to a file or directory based on the level at which the information being stored in that file or directory should be protected. Depending on how the security administrator has configured the user, a user may see the complete CMW label, only the sensitivity label portion, only the information label portion, or no labels at all. See label_encodings file.

label configuration

A Trusted Solaris installation choice of: single- or multilabel sensitivity labels; if multilabel, hide or show upgraded file names. Unless circumstances are unusual, label configuration should be identical on all workstations in the Trusted Solaris domain.

labeled workstation

A labeled workstation sends labeled network packets, such as RIPSO, CIPSO, TSIX(RE1.1), and MSIX packets. All Trusted Solaris workstations are labeled workstations.

label_encodings file

The file where the complete CMW label is defined, as are label view, admin_low and admin_high strings, default label visibility, and all other aspects of labels.

label range

A set of sensitivity labels assigned to commands, file systems, and allocatable devices, specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the sensitivity labels at which the command may be executed. For file systems, the minimum and maximum labels limit the sensitivity labels at which information may be stored on each file system. Trusted Solaris environments have multilabel file systems configured with a label range from the lowest sensitivity label to the highest sensitivity label. Remote hosts that do not recognize labels are assigned a single sensitivity label, along with any other hosts that the security administrator wishes to restrict to a single label; labels limit the sensitivity labels at which devices may be allocated and restrict thesensitivity labels at which information can be stored or processed using the device.

label view flags

Label view flags control the translation and display of the internal ADMIN_LOW and ADMIN_HIGH labels. A value of External specifies that the actual label ADMIN_LOW displays as the lowest label name in the user accreditation range specified in the label_encodings file, and that the actual label ADMIN_HIGH displays as the highest label name in the user accreditation range. A value of Internal specifies that the ADMIN_LOW and ADMIN_HIGH labels are translated to the Admin Low Name and Admin High Name strings specified in the label_encodings file.

.link_files

An optional setup file in a multilabel environment. The file contains the names of startup files, such as .cshrc or .netscape, that the user environment or user applications require in order for the environment or application to behave well. The files referenced in .link_files are then linked to the user's home directory at other labels, when those directories are created. See also .copy_files.

locale

A specific language associated with a region or territory.

MAC

See mandatory access control.

mandatory access control

Access control based on comparing the sensitivity label of a file, directory, or device to the sensitivity label of the process that is trying to access it. The MAC rule -- write up, read down (WURD) -- applies when a process at one sensitivity label attempts to read or write to a file at another sensitivity label. The MAC rule -- write equal, read down -- applies when a process at one sensitivity label attempts to write to a directory at another sensitivity label. The MAC rule -- read equal, write equal -- applies when a process at one sensitivity label attempts to write to a device at another sensitivity label

MCA

Micro Channel Architecture. A type of bus on IA systems. The MCA bus provides fast data transfer within the computer, and attached devices can be automatically detected when they have been configured using the reference disk provided by the manufacturer. The MCA bus is not compatible with devices for other buses.

media server

See install server.

minimum label

The lower bound of a user's sensitivity labels and the lower bound of all users' sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the first workspace that comes up after the user's first login. The sensitivity label specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for all users.

MLD

See multilevel directory.

mount

The process of making a remote or local file system accessible by executing the mount command. To mount a file system, you need a mount point on the local system and the name of the file system to be mounted (for example, /usr).

mount point

A directory on a system where you can mount a file system that exists on the local or a remote system.

multilevel directory

A directory in which information at differing sensitivity label is maintained in separate subdirectories called single-level directories (SLDs), while appearing to most interfaces to be a single directory under a single name. In the Trusted Solaris environment, directories that are used by multiple standard applications to store files at varying labels, such as the /tmp directory, /var/spool/mail, and users' $HOME directories, are set up to be MLDs. A user working in an MLD sees only files at the sensitivity label of the user's process.

name server

A server that provides a name service to systems on a network.

name service

A distributed network database that contains key system information about all the systems on a network, so the systems can communicate with each other. With a name service, the system information can be maintained, managed, and accessed on a network-wide basis. Sun supports the following name services: NIS (formerly YP) and NIS+. Without a name service, each system has to maintain its own copy of the system information (in the local /etc files).

network installation

A way to install software over the network--from a system with a CDROM drive to a system without a CDROM drive. Network installations require a name server and an install server.

networked systems

A group of workstations (called hosts) connected through hardware and software, so they can communicate and share information; referred to as a local area network (LAN). One or more servers are usually needed when systems are networked.

NIS+

Network Information Service, Plus. The name service for a Trusted Solaris network. NIS+ provides automatic information updating and adds security features such as authorization and authentication.

NIS+ master

See NIS+ root master.

NIS+ root master

The workstation that contains the master tables for a NIS+ network. Also called a root master or a NIS+ master.

non-networked systems

Workstations that are not connected to a network or do not rely on other workstations.

open network

An open network is a network of Trusted Solaris workstations that is connected physically to other networks and that uses Trusted Solaris software to communicate with non-Trusted Solaris workstations. Contrast with closed network.

/opt

A file system that contains the mount points for third-party and unbundled software.

OS server

A system that provides services to systems on a network.

outside the evaluated configuration

When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, it is described as being outside the evaluated configuration.

package

A functional grouping of files and directories that form a software application. The Trusted Solaris software is divided into four main software groups, which are each composed of clusters and packages.

partition

A disk partition is a slice of the disk.

permission bits

A type of discretionary access control in which the owner specifies a set of bits to signify who can read, write, or execute a file or directory. Three different sets of permissions are assigned to each file or directory: one set for the owner; one set for all members of the group specified for the file or directory; and one set for all others.

platform group

The output of the uname -m command. A vendor-defined grouping of hardware platforms for the purpose of distributing specific software. Examples of valid platform names are i86pc, sun4c. Often called kernel architecture.

platform name

The output of the uname -i command. For example, the platform name for the SPARCstation IPX is SUNW,Sun_4_50.

primary administrator

The person entrusted to create new rights profiles for the organization, and to fix machine difficulties that are beyond the power of the security administrator and system administrator combined. This role should be assumed rarely. After initial security configuration, more secure sites can choose not to create this role, and not to assign any role the Primary Administrator profile.

privilege

A right granted to a process executing a command that allows the command or one or more of its options to bypass some aspect of security policy. A privilege is only granted by a site's security administrator after the command itself or the person using it has been judged to be able to use that privilege in a trustworthy manner.

process

An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges available to the command being executed, the process clearance (which is set to be the same as the session clearance), the sensitivity label of the current workspace, and an information label. If the label configuration option RESET IL ON EXEC is selected, the information label is set to be the lowest viewable label in the system when a new process is started. The information label floats if any information at a higher information label is accessed by the process.

profile

A text file used as a template by the custom JumpStart installation software. It defines how to install the Trusted Solaris software on a system (for example, initial installation option, system type, disk partitioning, software group), and it is named in the rules file.

profile shell

A special shell that recognizes privileges. A profile shell typically limits users to fewer commands, but can allow these commands to run with privilege. The profile shell is the default shell of a trusted role.

remote host

A workstation that is not part of the Trusted Solaris NIS+ domain. A remote host can be an unlabeled workstation or a labeled workstation.

rights profile

Renamed from execution profiles in the Solaris 8 release.

role

A role is like a user, except that a role cannot log in. Roles are limited to a particular set of commands and CDE actions. See administrative role.

/ (root)

The file system at the top of the hierarchical file tree on a system. The root directory contains the directories and files critical for system operation, such as the kernel, device drivers, and the programs used to start (boot) a system.

root master

See NIS+ root master.

rule

A series of values that assigns one or more system attributes to a profile.

rules file

A text file used to create the rules.ok file. The rules file is a look-up table consisting of one or more rules that define matches between system attributes and profiles.

rules.ok file

A generated version of the rules file. It is required by the custom JumpStart installation software to match a system to a profile. You use the check script to create the rules.ok file.

security administrator

In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy and who are cleared to access all information being processed at the site. In the Trusted Solaris software environment, an administrative role that is assigned to one or more individuals who have the proper clearance and whose task is to configure the security attributes of all users and workstations so that the software enforces the site's security policy. In contrast, see system administrator.

security attribute

An attribute used in enforcing the Trusted Solaris security policy. Various sets of security attributes, both in the base Solaris and the Trusted Solaris environments, are assigned to processes, users, files, directories, hosts on the trusted network, allocatable devices, and other entities.

security policy

In the Trusted Solaris environment, the set of DAC, MAC, and information labeling rules that define how information may be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.

sensitivity label

A security label assigned to a file or directory or process, which is used to limit access based on the security level of the data contained.

single-level directory

A directory within an MLD containing files at only a single sensitivity label. When a user working at a particular sensitivity label changes into an MLD, the user's working directory actually changes to a single-label directory within the MLD, whose sensitivity label is the same as the sensitivity label at which the user is working.

SLD

See single-level directory.

slice

An area on a disk composed of a single range of contiguous blocks. A slice is a physical subset of a disk (except for slice 2, which by convention represents the entire disk). A disk can be divided into eight slices. Before you can create a file system on a disk, you must format it into slices.

software group

A logical grouping of the Solaris software (clusters and packages). During a Solaris installation, you can install one of the following software groups: core, end user system software, developer system support, or entire distribution. In the Trusted Solaris environment, core and end user software are identical.

Solaris Management Console

A Java-based administrative action for Solaris and Trusted Solaris systems. Located in the Application Manager, it contains toolboxes of administrative programs. Most system, network, and user administration is done using the Console toolboxes.

standalone system

A system that has its own / (root) file system, swap space, and /usr file system, which reside on its local disk(s); it does not require boot or software services from an OS server. A standalone system can be connected to a network, but it does not have to be.

subnet

A working scheme that divides a single logical network into smaller physical networks to simplify routing.

subnet mask

A bit mask, which is 32 bits long, used to determine important network or system information from an IP address.

swap space

Disk space used for virtual memory storage when the system does not have enough system memory to handle current processes. Also known as the /swap or swap file system.

system

Generic name for a workstation. After installation, a system is often called a host.

system accreditation range

The set of all valid (well-formed) labels created according to the rules defined by each site's security administrator in the label_encodings file, plus the two administrative labels that are used in every Trusted Solaris environment, ADMIN_LOW and ADMIN_HIGH.

system administrator

In the Trusted Solaris environment, the trusted role assigned to the user or users responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.

system type

One of several different ways a workstation can be set up to run the Trusted Solaris software. Valid system types are: standalone system and OS server.

time zone

Any of the 24 longitudinal divisions of the earth's surface for which a standard time is kept.

tnrhdb database

The Trusted Network Remote Host DataBase, accessible either as a file in /etc/security/tsol/tnrhdb or as a NIS+ table.

tnrhtp database

The Trusted Network Remote Host TemPlate, accessible either as a file in /etc/security/tsol/tnrhtp or as a NIS+ table.

toolbox

A collection of programs in the Solaris Management Console. In the Trusted Solaris environment, administrators are presented with a selection of toolboxes, one for every name service (Files, NIS+, and NIS). Each toolbox has programs usable in the scope of the toolbox. For example, the Interface Manager, which handles the machine's tnidb database, exists only in the Files toolbox, since its scope is always local. The User Accounts program exists in all toolboxes, since an administrator can choose to create a local user (Files), as well as one that can log in to any machine in the name service (NIS+ or NIS toolboxes).

Trusted Network databases

tnrhtp, the Trusted Network Remote Host TemPlate and tnrhdb, the Trusted Network Remote Host DataBase together define the remote hosts that a Trusted Solaris domain can communicate with.

trusted role

See administrative role.

Trusted Solaris installation program

(1) A menu-driven, interactive program that enables you to set up a system and install the Trusted Solaris software on it. (2) Any part of the software that is used to install the Trusted Solaris software on a system.

trusted stripe

A region that cannot be spoofed along the bottom of the screen, which by default provides the following as visual feedback about the state of the window system: a trusted path indicator and window sensitivity label. When sensitivity labels are configured to not be viewable for a user, the trusted stripe is reduced to an icon that displays only the trusted path indicator.

prof_attr and exec_attr databases

The profiles attributes database, accessible either as files in /etc/security/prof_attr and /etc/security/exec_attr, or as NIS+ tables. After configuration, it contains execution profiles provided by the Trusted Solaris software.

user_attr database

The User Attributes database, accessible either as a file in /etc/security/user_attr or as a NIS+ table. After configuration, it contains roles provided by the Trusted Solaris software.

upgrade option

An option presented during the Solaris installation program. The upgrade procedure merges the new version of Solaris with existing files on your disk(s), and it saves as many local modifications as possible since the last time Solaris was installed. The upgrade option is not available with the Trusted Solaris 7 release.

unlabeled workstation

A workstation that sends unlabeled network packets, such as one running the Solaris 8 operating environment.

user accreditation range

The set of all possible labels at which any normal user may work on the system, as defined by each site's security administrator. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values specified in the ACCREDITATION RANGE section of the site's label_encodings(4) file: the upper bound, the lower bound, the combination constraints and other restrictions.

user clearance

The clearance assigned by the security administrator that sets the upper bound of the set of labels at which one particular user may work at any time. The user may decide to accept or further restrict that clearance during any particular login session, when setting the session clearance after log in.

/usr

A file system on a standalone system or server that contains many of the standard UNIX programs. Sharing a large file system with a server rather than maintaining a local copy minimizes the overall disk space required to install and run the Trusted Solaris software on a system.

/var

A file system or directory (on standalone systems) containing system files that are likely to change or grow over the life of the system. These include system logs, vi files, mail files, and uucp files.

Volume Management

A program that provides a mechanism to administer and obtain access to the data on CDROMs and diskettes.

workstation accreditation range

The set of all valid (well-formed) labels created according to the rules defined by each site's security administrator in the label_encodings file, plus the two administrative labels that are used in every Trusted Solaris environment, ADMIN_LOW and ADMIN_HIGH. Also called the system accreditation range.