test

Trusted Solaris User's Guide

How the Trusted Solaris environment Keeps Labeled Information Separate

The Trusted Solaris environment helps keep information at different labels separate by

Letting Users Select Single- or Multilevel Sessions

When you first log into a Trusted Solaris session, you specify whether you will be operating at a single label or at multiple labels (if you are permitted to). You then set your session clearance or session label, that is, the security level at which you intend to operate.

In a single-level session, you can access only those objects at or dominated by your session label.

In a multilevel session, you can access information at different sensitivity levels, as long as they are at or lower than your session clearance. In the Trusted Solaris environment, you can specify different labels for different workspaces.

Providing Labeled Workspaces

The workspaces in the Trusted Solaris environment are accessed through buttons in the front panel, just as in the standard Solaris operating environment. However, in the Trusted Solaris environment, you can devote a workspace entirely to a single label. This is very convenient when you are in a multilevel session and do not wish to move information between files at different labels.

Storing Files in Separate Directories by Labels

The Trusted Solaris environment provides two special types of directories for storing files and subdirectories with different labels and keeping them separate:

When you attempt to view or access files in a multilevel directory, (either through an application such as the File Manager or through a shell using standard commands), only those files that are at your current label are visible and accessible. If you keep files at different labels in your home directory, for example, you cannot normally view files at labels other than your current label.

The following figure illustrates the concept of hidden single-level directories within a multilevel directory. The top part of the figure shows the contents of a multilevel home directory called /myHomeDir from the user's view while working at Confidential A B; the lower part of the figure shows the user at Secret A B. Hidden directories and files are indicated with dashed lines and unbolded text; the solid lines and bolded text indicate visible ones. (Note that the labels associated with the single-level directories are shown in their short form inside parentheses; the labels do not actually appear in the directory names.)

Figure 1-4 SLD Subdirectories

Graphic

While working at Confidential A B, the user has the following results when trying to list the contents of the /myHomeDir directory:

% pwd
/myhomedir
% ls
file1

At Secret A B, the user sees these results:

% pwd
/myhomedir
% ls
file2    file3

Enforcing MAC for Email Transactions

The Trusted Solaris environment enforces mandatory access control whenever you use email. When you send email, the Trusted Solaris environment prevents users with insufficiently high clearance from receiving it. On the receiving end, email is sorted by the labels within your account range. Your current label must be at the same level as the email message you intend to read; otherwise you must change your current label.

Clearing Objects Prior to Reuse

The Trusted Solaris environment prevents inadvertent exposure of sensitive information by automatically clearing (erasing) user-accessible objects, such as memory and disk space, prior to reuse. Processes on the system continuously allocate, deallocate, and reuse objects, such as memory and disk space. Failure to erase sensitive data prior to reuse of the object risks exposing the data to inappropriate users. Through device deallocation, Trusted Solaris 8 clears all user-accessible objects prior to allocating them to processes. Note, however, you must clear any removable storage medium (floppy disk, magnetic tape, etc.) before another user can have access to it.