test

Solaris Trusted Extensions Transition Guide

Transition to the Solaris Trusted Extensions Release

This book covers the following topics:

The Solaris Trusted Extensions Release

SolarisTM Trusted Extensions software is a specific configuration of the Solaris Operating System (Solaris OS). Solaris Trusted Extensions (Trusted Extensions) provides labels for local objects and processes, for the desktop and windowing system, for zones and file systems, and for network communications. Trusted Extensions software is delivered in packages that are added to a version of the Solaris OS.

Trusted Extensions depends on features in the Solaris release to which the Trusted Extensions packages are added. Trusted Extensions software does not replace any Solaris components, but the software does modify certain policy settings.

Overview of Changes From Trusted Solaris Software

Trusted Extensions administrators assign labels to hosts, zones, devices, and users. Trusted Extensions applies these labels to resources such as files, processes, network packets, and windows. The basis for applying these labels is the host or zone with which the resources are associated.

As in previous Trusted Solaris releases, the Solaris OS provides support for privileges, authorizations, and auditing. Trusted Extensions adds to the privileges, authorizations, rights profiles, audit classes, and audit events that the Solaris OS defines. As in previous releases, Trusted Extensions adds CDE actions to rights profiles.

As in previous releases, the software provides a trusted windowing system, desktop, and administration tools that extend Solaris functionality. Printing is modified to handle labeled print jobs. Also, Trusted Extensions provides a trusted version of the Sun JavaTM Desktop System. This trusted version is called Solaris Trusted Extensions (JDS).

Unlike Trusted Solaris software, Trusted Extensions is a configuration of the underlying Solaris OS. Trusted Extensions does not support the NIS+ naming service. LDAP is the recommended naming service for this release. Also, the root user in Trusted Extensions is identical to the root user in the Solaris OS. You can modify the root user as you can in the Solaris OS, that is, by turning the root user into a role.

Summary of Removed Trusted Solaris Features

Because of changes to the architecture, the following Trusted Solaris 8 features do not exist in Trusted Extensions. For a list of interface changes, see Appendix A, Interface Changes in the Solaris Trusted Extensions Release.

Because of changes to the architecture, the following Trusted Solaris 8 features are visibly different in Trusted Extensions.

Differences Between Trusted Solaris 8 Software and Solaris Trusted Extensions

The following sections summarize the components that remain, the components that have changed, and the components that have been removed in the change from Trusted Solaris to Solaris Trusted Extensions software.

Audit Events and Classes in Trusted Extensions

In Trusted Extensions, the audit classes for X events have been collapsed from six classes to four classes. The xa class and the xl class are removed. Events that were assigned to the xa class are in the ot class. Events that were assigned to the xl class are in the lo class. The bit masks of the remaining X audit classes have been changed from their Trusted Solaris 8 masks.


0x00800000:xc:X - object create/destroy
0x00400000:xp:X - privileged/administrative operations
0x01000000:xs:X - operations that always silently fail, if bad
0x01c00000:xx:X - all X events (meta-class

Device Management in Trusted Extensions

In Trusted Extensions, the allocate and deallocate commands are only available to TCB (Trusted Computing Base) processes that run in the global zone. Ordinary users must use the Device Manager GUI to allocate and deallocate devices.

Trusted Extensions device policy uses the Solaris getdevpolicy and update_drv interfaces. The Trusted Solaris 8 device policies: data_mac_policy, attr_mac_policy, open_priv, and str_type have been removed.

Files and File System Mounting in Trusted Extensions

Trusted Extensions provides no explicit mount attributes for specifying labels. The label of a mounted filesystem is the same as the label that is associated with the owning host or owning zone. Writing up is not permitted. Writing up is prevented by disallowing mounts of higher-labeled or disjointly labeled filesystems. Reading down is permitted. Reading down is enforced by restricting mounts of lower-labeled filesystems to be read-only.

The Trusted Extensions implementation for specifying security attributes on file systems follows the Solaris implementation. Therefore, files do not have forced privileges or allowed privileges. This implementation enables Trusted Extensions to support any file system that is supported by Solaris zones.

File relabeling is implemented by moving a file from one mounted file system to another file system.

Labels in Trusted Extensions

As in the Trusted Solaris releases, Trusted Extensions provides a label_encodings file. Labels, label ranges, clearances, and defaults are defined in the label_encodings file.

In Trusted Extensions, the label_encodings file that is installed by default defines commercial labels, such as RESTRICTED and PUBLIC. In Trusted Solaris releases, the default label encodings file, label_encodings.multi, was a version of a U.S. Government encodings file.

In the Label Builder, labels are shown in long form instead of in short form. When choosing a session clearance or workspace label, Trusted Path is used instead of Admin Low or Admin High.

Label APIs in Trusted Extensions

In Solaris Trusted Extensions, the label APIs that showed the internals of a label's structure are now obsolete. These label APIs have been replaced by the label_to_str() and str_to_label() functions. For the interfaces that are obsolete, and their replacement functions, see Table 7.

Also, CMW labels have been replaced by sensitivity labels. All CMW and IL (information label) interfaces have been removed.

Mail in Trusted Extensions

In the Solaris Trusted Extensions release, each zone has an independent instance of sendmail. Therefore, mail cannot be upgraded. Users can send mail and can receive mail only at the label of the user's workspace.

LDAP Naming Service in Trusted Extensions

Solaris Trusted Extensions uses LDAP as a naming service. In Trusted Extensions, NIS and NIS+ do not support the tnrhdb and tnrhtp databases. These naming services do not have a proxy server that can bind to a multilevel port (MLP). Therefore, the trusted networking databases cannot be reached from multiple zones concurrently.

Except for user passwords, LDAP data is considered public information. Therefore, any information in LDAP is not protected by a MAC policy. Instead, as in the Solaris OS, data is protected by an administrative policy. LDAP administrative policy is based on LDAP identities and passwords. When sensitivity labels are assigned as attributes of users and network endpoints, the labels are stored in an internal format. This format does not disclose classified information.

When an LDAP server is deployed as the naming service within a Trusted Extensions environment, the server must be configured to bind to a multilevel port (MLP) in the global zone.

Trusted Extensions can also be configured to rely on an existing LDAP infrastructure. In this case, an LDAP proxy server must be installed. This proxy server must be configured to bind to an MLP in the global zone of a system that is configured with Trusted Extensions. This Trusted Extensions system can then proxy multilevel requests from other zones and other hosts to the existing unlabeled LDAP server. The unlabeled server must be assigned the admin_low template in the tnrhdb of the proxy server.

To migrate NIS+ tables to LDAP entries, see the following man pages:

Named Pipes in Trusted Extensions

In the Solaris OS, named pipes are used as one-way conduits. In Trusted Extensions, named pipes permit write-up operations. The writer runs at a lower label than the reader's dominant label. In Trusted Solaris 8, named pipes were configured by upgrading the label of the FIFO to the reader's label. In Trusted Extensions, named pipes are configured by using read-only lofs mounts of directories in lower-level zones into dominant higher-level zones. The FIFO is created at the label of the zone of the writer. For more information, see the mkfifo(1M) man page.

Networking in Trusted Extensions

Trusted Extensions does not support the TSIX or TSOL networking protocols. Trusted Extensions defines CIPSO-labeled templates and unlabeled templates in the tnrhtp database. The label ADMIN_HIGH is used as an upper bound, but is never transmitted as a CIPSO label. For more information, see Zones in Trusted Extensions.

The format of the tnrhtp database has been simplified because process attributes like privileges, user ids, and group ids are no longer supported. The format of the tnrhdb database is unchanged. The tnzonecfg database replaces the tnidb database, although the two databases are not equivalent.

The /etc/security/tsol/tnrhtp file that is installed with the Solaris Trusted Extensions release contains templates that can be used with any label_encodings file. The following table shows the correspondences between earlier versions of tnrhtp and the version that is shipped with the Solaris Trusted Extensions release.

Table 1 Template Names in the Trusted Solaris 8 and Solaris Trusted Extensions Releases

Trusted Solaris Template Name 

Trusted Extensions Name 

Note 

cipso

cipso

For labeled hosts 

unlab

admin_low

For unlabeled hosts 

tsol, tsol_cipso, tsix

None 

Use cipso template

tsol_ripso, ripso_top_secret

None 

Removed 

Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different.

Packets from unlabeled hosts that originate outside a Trusted Extensions domain can be labeled for trusted routing through the secure domain to another host outside the domain by using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb. Incoming packets are routed through the Trusted Extensions domain according to their sensitivity level and the trusted routing information. The sensitivity label is still carried in the IP option. The label is stripped when the packet exits the trusted domain. IPv6 now supports trusted routing.

Dynamic routing is not supported. Static routing is supported.

Packaging in Trusted Extensions

Trusted Extensions software does not require special packaging attributes. Therefore, the tsolinfo file is no longer used.

PAM in Trusted Extensions

The PAM module for Trusted Extensions, pam_tsol_account.so.1, has only one module type and one function. The module is of type account, and the function checks the label range. The module has no options. No other Trusted Extensions-specific functions of PAM from Trusted Solaris 8 software are included in this release.

Trusted Extensions adds the allow_unlabeled option to PAM services. Together with the allow_remote option, administrators can manage headless systems remotely. For details, see the pam_roles(5) and pam_tsol_account(5) man pages.

PAM stacks for other module types should be used in the same manner for Trusted Extensions as for the Solaris OS. For more information, see the pam(3PAM) and pam.conf(4) man pages.

Policy in Trusted Extensions

In Trusted Extensions, a process' clearance is the same as its sensitivity label. Write up is not supported.

There is no administrative distinction between ADMIN_HIGH and ADMIN_LOW workspaces. Therefore, such workspaces are displayed as Trusted Path.

The tsol policy in the exec_attr file is removed. Use the solaris policy.

Printing in Trusted Extensions

Trusted Extensions supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. The global zone must have its own IP address to be a multilevel print service. To use the global zone's print server, a labeled zone must have a separate IP address from the global zone.

Only multilevel printers have a label range. A printer's label range can be restricted with the Device Allocation Manager.

In Trusted Solaris releases, banner and trailer pages were enabled by default. In Trusted Extensions, administrators run a printer model script to add banner and trailer pages with security information to a printer.


lpadmin -p printer -m printer-model-script

Trusted Extensions adds four printer model scripts: tsol_standard, tsol_netstandard, tsol_standard_foomatic, and tsol_netstandard_foomatic.

Solaris Management Console in Trusted Extensions

The Solaris Management Console is no longer a multilevel service. The Solaris Management Console can only be contacted by clients that are running at the same label as the server. For most Trusted Extensions administration, access to the global zone is required. Because ordinary users are not permitted to log in to the global zone, only roles that are cleared for all labels can connect to the Solaris Management Console in the global zone.

Window System and CDE in Trusted Extensions

The login sequence is slightly different, and a new dialog box, Last Login, contains security information for the login user. The Shutdown menu item has been replaced with the Suspend System menu item, which checks for user authorization, then runs the sys-suspend command.

The System_Admin folder has been renamed to the Trusted_Extensions folder.

The CDE actions in the Trusted_Extensions folder have been updated. The NIS+ actions have been removed. Actions for administering LDAP and labeled zones have been added.

Zones in Trusted Extensions

Trusted Extensions uses zones for labeling. The global zone is an administrative zone, so is not available to users. The global zone is multilevel. The networking label of the global zone is ADMIN_LOW, but its process label is ADMIN_HIGH. Files that are private to the global zone are also labeled ADMIN_HIGH. Files that are shared with all zones are labeled ADMIN_LOW.

Each non-global zone has a unique label. Non-global zones are called labeled zones. Labeled zones are available to ordinary users. The global zone is available to roles only.

The Trusted Extensions policy for zones is different from Solaris policy. Trusted Extensions does not require a separate IP address per zone. However, all zones must have a single naming service. A single naming service provides all zones with a single set of users, UIDs, and GIDs.

Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. The /export directory of a zone can be read by any zone whose label dominates the label of the /export directory.

Only system processes and roles are allowed to execute in the global zone. In certain cases, privileged processes in the global zone can be exempt from aspects of MAC policy. For example, system processes and roles that have the file_dac_search privilege and the file_dac_read privilege can access files which belong to labeled zones.

Privileges in Trusted Extensions

Privileges in Trusted Extensions are coded to correspond to their Solaris counterparts. Privileges in Solaris software are implemented differently from privileges in previous Trusted Solaris releases.

For correspondences between Trusted Solaris privileges and Trusted Extensions privileges, see Table 1 in Appendix A, Interface Changes in the Solaris Trusted Extensions Release, Table 10, and New Interfaces in Trusted Extensions Software. For a complete list of privileges, see the privileges(5) man page.

The Solaris Trusted Extensions release adds the following privileges:

The Trusted Solaris command runpd has been replaced by the Solaris ppriv -d command. For details, see the ppriv(1) man page. For examples, see How to Determine Which Privileges a Program Requires in System Administration Guide: Security Services.

Trusted Extensions User Commands

On a system that is configured with Trusted Extensions, most Solaris user commands work as the commands work in the Solaris OS. Some command options apply to Trusted Extensions software only. Trusted Extensions also adds user commands. For a complete list, see New Interfaces in Trusted Extensions Software, Table 2, and Table 3.

Trusted Extensions System Administration Commands

On a system that is configured with Trusted Extensions, system administration commands work as follows:

Trusted Extensions System Calls

On a system that is configured with Trusted Extensions, most Trusted Solaris system calls have been replaced by Solaris system calls. Some system calls are extended in Trusted Extensions software. For a complete list, see Table 5 and New Interfaces in Trusted Extensions Software.

Trusted Extensions Library Functions

On a system that is configured with Trusted Extensions, some functions have been modified. Some changes are due to architectural changes in the product. Some changes are due to removal of nonstandard interfaces.

The library functions for privileges that were provided by Trusted Solaris software have been replaced by Solaris functions. Label functions that manipulate CMW labels have been removed. Some label functions have been changed to make label structures opaque. Other label functions have been replaced by new label functions that make label structures opaque. Customers are encouraged to use the new interfaces when developing label-aware code for their sites.

For a complete list, see Table 6 and New Interfaces in Trusted Extensions Software.

Trusted Extensions Databases and Files

Databases and files have been reformatted to correspond to technical changes. Unneeded files have been removed. For the list, see Table 9 and New Interfaces in Trusted Extensions Software.

Trusted Extensions Devices and Drivers

On a system that is configured with Trusted Extensions, all Trusted Solaris device interfaces, and kernel functions for drivers have been replaced by Solaris functions. For the list, see Table 11.

Differences Between Solaris Express Developer Edition 5/07 Software and Solaris Trusted Extensions

Trusted Extensions builds on Solaris software, and can restrict the use of some Solaris utilities. The differences affect users, administrators, and developers. Configuration options that are optional on a Solaris system can be required by Trusted Extensions. For example, roles are required to administer the system, and the Solaris Management Console is required to administer users, roles, profiles, and the network. Zones must be installed, and each zone must be assigned a unique label.

Installation and Configuration of Trusted Extensions

Solaris Trusted Extensions installs as a set of packages on a newly installed Solaris Express Developer Edition 5/07 system. The following installation practices should be followed:

Desktops in Trusted Extensions

Solaris Trusted Extensions supports a trusted version of the Sun Java Desktop System, (Trusted JDS) as well as CDE. The Trusted CDE desktop continues to support the visible Trusted Solaris features, such as labels, trusted stripe, the Device Allocation Manager, the Admin Editor, and so on.

New administrative actions in CDE 1.7 are modified for security on the Trusted Extensions desktop. Actions that are unique to Trusted Extensions are in the Trusted_Extensions folder.

Security Attributes on CDE Actions in Trusted Extensions Software

Trusted Extensions adds CDE actions to the objects that can be assigned security attributes in the exec_attr database. CDE actions can be constrained by label by customizing the Workspace Menu to include only actions that are relevant to a specific label. To customize the menu, see How to Customize the CDE Workspace Menu in Solaris Trusted Extensions User’s Guide

Administration Tools in Trusted Extensions

Secure administration requires the use of GUIs that Trusted Extensions provides. Trusted Extensions provides actions in the Trusted_Extensions folder in CDE, a Device Allocation Manager, and the Solaris Management Console. Trusted Extensions adds tools and options to existing tools in the Solaris Management Console GUI. This GUI enables administrators to manage users, networks, zones, and other databases. After launching the Solaris Management Console, the administrator chooses a Trusted Extensions “toolbox”. The toolbox is a collection of programs. The administrator then uses the programs that are permitted to the role.

Trusted Device Management

The Solaris OS provides three methods of managing devices: the Volume Manager (vold), logindevperm and device allocation. As in the Trusted Solaris 8 releases, Trusted Extensions supports only device allocation. The Device Allocation Manager GUI is used to create an allocatable device. All devices that are allocated to a zone get deallocated when that zone shuts down, halts, or reboots. Device allocation can be done remotely or in shell scripts only from the global zone.

The allocate, deallocate, and list_devices commands do not work in labeled zones for roles or ordinary users. Users and roles must use the Device Allocation Manager GUI to allocate, deallocate and list devices. Trusted Extensions adds the solaris.device.config authorization to configure devices.

Trusted Printing

To manage printers, use the Printer Administrator action in the System_Admin folder in the global zone. To limit the label range of a printer, use the Device Allocation Manager in the global zone.

Trusted Extensions Software and Removable Media

Use the Solaris Management Console Devices and Hardware tool to manage serial lines and serial ports in the global zone. To limit the label range of removable media, use the Device Allocation Manager in the global zone.

Additional Rights and Authorizations in Trusted Extensions

The Solaris Trusted Extensions release adds privileged commands to the Device Security profile, and privileged actions to many profiles.

The Solaris Trusted Extensions release adds the following authorizations:

The Solaris Trusted Extensions release adds the following rights profiles:

The Solaris Trusted Extensions release adds label authorizations and service management authorizations to the following rights profiles:

Together, the Information Security and the User Security rights profiles define the Security Administrator role.

New Interfaces in Trusted Extensions Software

The new interfaces in the Solaris Trusted Extensions release are listed in the following table by man page section number. The table includes some Solaris interfaces that perform critical functions for Trusted Extensions.

Only interfaces whose names have changed are included in the table. However, interfaces whose names have not changed might have different options or different functionality in this release. For a complete list, see Appendix A, Interface Changes in the Solaris Trusted Extensions Release.

Table 2 New Man Pages in Solaris Trusted Extensions Software

Man Page 

Note 

getzonepath(1)

Replaces getsldname.

ldaplist(1)

Trusted Extensions network databases are added to the LDAP directory server. 

ppriv(1)

Solaris command replaces Trusted Solaris commands that handled privileges. 

smtnzonecfg(1M)

Manages trusted network zone configuration database. 

getpflags(2)

Trusted Extensions adds the NET_MAC_AWARE flag.

getlabel(2)

Gets sensitivity label of file. 

setpflags(2)

Trusted Extensions adds the NET_MAC_AWARE flag.

is_system_labeled(3C)

Determines if the system is configured with Trusted Extensions. 

getpeerucred(3C)

Works as in Solaris OS. Replaces getpeerinfo().

priv_gettext(3C)

Works as in Solaris OS. Replaces get_priv_text().

ucred_getlabel(3C)

ucred_getlabel() reads the label on a process.

libtsnet(3LIB)

Describes the libtsnet() interfaces.

libtsol(3LIB)

Describes the libtsol() interfaces.

getdevicerange(3TSOL)

Gets the label range of a device. 

getpathbylabel(3TSOL)

Gets the full pathname. Replaces mldrealpathl().

getplabel(3TSOL)

Gets the sensitivity label of a process. 

getuserrange(3TSOL)

Gets the label range of a user. 

getzoneidbylabel(3TSOL)

Gets the ID of a zone. 

getzonelabelbyid(3TSOL)

Gets the label of a zone. 

getzonelabelbyname(3TSOL)

 

getzonerootbyid(3TSOL)

Gets the full pathname of a zone. 

getzonerootbylabel(3TSOL)

 

getzonerootbyname(3TSOL)

 

label_to_str(3TSOL)

Converts labels to strings. Replaces bcltobanner() and other interfaces.

m_label(3TSOL)

m_label() is a placeholder for the allocation, duplication, and free functions.

m_label_alloc(3TSOL)

Manages storage for opaque labels. 

m_label_dup(3TSOL)

Duplicates a label. 

m_label_free(3TSOL)

Frees storage for opaque labels. 

setflabel(3TSOL)

Replaces setcmwlabel().

str_to_label(3TSOL)

Converts labels to strings. Replaces stobsl() and stobclear().

tsol_getrhtype(3TSOL)

Gets the host type of the specified hostname. 

door_ucred(3C)

Works as in Solaris OS. Replaces door_tcred().

getsockopt(3SOCKET)

getsockopt(3XNET)

setsockopt(3SOCKET)

setsockopt(3XNET)

Trusted Extensions adds the SO_MAC_EXEMPT option.

tnzonecfg(4)

Is the local configuration file for the global zone and labeled zones. 

TrustedExtensionsPolicy(4)

Is the policy file for window behavior. Replaces config.privs.

labels(5)

Describes label policy. 

pam_tsol_account(5)

Is the PAM module for account authentication. 

privileges(5)

Contains descriptions of new privileges, net_bindmlp and net_mac_aware.