JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions User's Guide     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


1.  Introduction to Trusted Extensions

2.  Logging In to Trusted Extensions (Tasks)

3.  Working in Trusted Extensions (Tasks)

4.  Elements of Trusted Extensions (Reference)




access control list (ACL)

A security feature of the Oracle Solaris OS. An ACL extends discretionary access control (DAC) to use a list of permission specifications (ACL entries) that apply to specific users and specific groups. An ACL allows finer-grained control than the control that standard UNIX permissions provides.

access permission

A security feature of most computer systems. Access permission gives the user the right to read, write, execute, or view the name of a file or directory. See also discretionary access control (DAC) and mandatory access control (MAC).

account label range

The set of labels that are assigned by the security administrator to a user or role for working on a system that is configured with Trusted Extensions. A label range is defined at the upper end by the user clearance and at the lower end by the user's minimum label. The set is limited to well-formed labels.

accreditation range

A set of labels that are approved for a class of users or resources. See also system accreditation range, user accreditation range, label encodings file, and network accreditation range.

administrative labels

Two special labels intended for administrative files only: ADMIN_LOW and ADMIN_HIGH. ADMIN_LOW is the lowest label in the system with no compartments. This label is strictly dominated by all labels in the system. Information at ADMIN_LOW can be read by all but can only be written by a user in a role who is working at the ADMIN_LOW label. ADMIN_HIGH is the highest label in the system with all compartments. This label strictly dominates all labels in the system. Information at ADMIN_HIGH can only be read by users in roles that operate at ADMIN_HIGH. Administrative labels are used as labels or clearances for roles and systems. See also dominating label.

allocatable device

A security feature of the Oracle Solaris OS. An allocatable device can be used by one user at a time, and is capable of importing or exporting data from the system. The security administrator determines which users are authorized to access which allocatable devices. Allocatable devices include tape drives, floppy drives, audio devices, and CD-ROM devices. See also device allocation.

audit ID (AUID)

A security feature of the Oracle Solaris OS. An audit ID represents the login user. the AUID is unchanged after the user assumes a role, so is used to identify the user for auditing purposes. The audit ID always represents the user for auditing even when the user acquires effective UIDs/GIDs. See also user ID (UID).


A security feature of the Oracle Solaris OS. Auditing is a process for capturing user activity and other events on the system, then storing this information in a set of files that is called an audit trail. Auditing produces system activity reports to fulfill site security policy.


A security feature of the Oracle Solaris OS. An authorization grants permission to a user to perform an action that is otherwise prohibited by security policy. The security administrator assigns authorizations to rights profiles. Rights profiles are then assigned to user or role accounts. Some commands and actions do not function fully unless the user has the necessary authorizations. See also privilege.


A component of a clearance or a label. A classification indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED.


A label that defines the upper boundary of a label range. A clearance has two components: a classification and zero or more compartments. A clearance does not need to be a well-formed label. A clearance defines a theoretical boundary, not necessarily an actual label. See also user clearance, session clearance, and label encodings file.


A nonhierarchical component of a label that is used with the classification component to form a clearance or a label. A compartment represents a group of users with a potential need to access this information, such as an engineering department or a multidisciplinary project team.

compartmented mode workstation (CMW)

A computing system that fulfills the government requirements for a trusted workstation as stated in Security Requirements for System High and Compartmented Mode Workstations, DIA document number DDS-2600-5502-87. Specifically, it defines a trusted, X Window System-based operating system for UNIX workstations.

covert channel

A communication channel that is not normally intended for data communication. A covert channel allows a process to transfer information indirectly in a manner that violates the intent of the security policy.

deallocated device

A security feature of the Oracle Solaris OS. A deallocated device is no longer allocated to a user for exclusive use. See also device allocation.


See allocatable device.

device allocation

A security feature of the Oracle Solaris OS. Device allocation is a mechanism for protecting the information on an allocatable device from access by anyone except the user who allocates the device. When the device is deallocated, device clean scripts are run to clean information from the device before the device can be accessed again by another user. In Trusted Extensions, device allocation is handled by the Device Manager.

Device Manager

A trusted application of Trusted Extensions. This GUI is used to configure devices, and to allocate and deallocate devices. Device configuration includes adding authorization requirements to a device.

discretionary access control (DAC)

An access control mechanism that allows the owner of a file or directory to grant or deny access to other users. The owner assigns read, write, and execute permissions to the owner, the user group to which the owner belongs, and a category called other, which refers to all other unspecified users. The owner can also specify an access control list (ACL). An ACL lets the owner assign permissions specifically to additional users and additional groups. Contrast with mandatory access control (MAC).

disjoint label

See dominating label.

dominating label

In a comparison of two labels, the label whose classification component is higher than or equal to the second label's classification and whose compartment components include all of the second label's compartment components. If the components are the same, the labels are said to dominate each other and are equal. If one label dominates the other and the labels are not equal, the first label is said to strictly dominate the other. Two labels are disjoint if they are not equal and neither label is dominant.

downgraded label

A label of an object that has been changed to a value that does not dominate the previous value of the label.

effective UIDs/GIDs

A security feature of the Oracle Solaris OS. Effective IDs override a real ID when necessary to run a particular program or an option of a program. The security administrator assigns an effective UID to a command or action in a rights profile when that command or action must be run by a specific user, most often when the command must be run as root. Effective group IDs are used in the same fashion. Note that the use of the setuid command as in conventional UNIX systems might not work due to the need for privileges.

evaluatable configuration

A computer system that meets a set standard of government security requirements. See also extended configuration.

extended configuration

A computer system that is no longer an evaluatable configuration due to modifications that have broken security policy.

fallback mechanism

A shortcut method for specifying IP addresses in the tnrhtp database. For IPv4 addresses, the fallback mechanism recognizes 0 as a wildcard for a subnet.


A host that has more than one network interface. Such a host can be used to connect two or more networks. When the gateway is a Trusted Extensions host, the gateway can restrict traffic to a particular label.

group ID (GID)

A security feature of the Oracle Solaris OS. A GID is an integer that identifies a group of users who have common access permissions. See also discretionary access control (DAC).


A computer attached to a network.

host template

A record in the tnrhtp database that defines the security attributes of a class of hosts that can access the Trusted Extensions network.

host type

A classification of a host. The classification is used for network communications. The definitions of host types are stored in the tnrhtp database. The host type determines whether the CIPSO network protocol is used to communicate with other hosts on the network. Network protocol refers to the rules for packaging communication information.


Also referred to as a sensitivity label. A label indicates the security level of an entity. An entity is a file, directory, process, device, or network interface. The label of an entity is used to determine whether access should be permitted in a particular transaction. Labels have two components: a classification that indicates the hierarchical level of security, and zero or more compartments for defining who can access the entity at a given classification. See also label encodings file.

label builder

A trusted application of Trusted Extensions. This GUI enables users to choose a session clearance or a session label. The clearance or label must be within the account label range that the security administrator has assigned to the user.

label encodings file

A file that is managed by the security administrator. The encodings file contains the definitions for all valid clearances and labels. The file also defines the system accreditation range, user accreditation range, and defines the security information on printouts at the site.

label range

Any set of labels that are bounded on the upper end by a clearance or maximum label, on the lower end by a minimum label, and that consist of well-formed labels. Label ranges are used to enforce mandatory access control (MAC). See also label encodings file, account label range, accreditation range, network accreditation range, session range, system accreditation range, and user accreditation range.

label view

A security feature that displays the administrative labels or substitutes unclassified placeholders for the administrative labels. For example, if security policy forbids exposing the labels ADMIN_HIGH and ADMIN_LOW, the labels RESTRICTED and PUBLIC can be substituted.

labeled workspace

A workspace that is associated with a label. A labeled workspace labels every activity that is launched from the workspace with the label of the workspace. When users move a window into a workspace of a different label, the moved window retains its original label. Every workspace on a trusted desktop is labeled. Two workspaces can be associated with the same label.

least privilege

See principle of least privilege.

mandatory access control (MAC)

A system-enforced access control mechanism that uses clearances and labels to enforce security policy. A clearance or a label is a security level. MAC associates the programs that a user runs with the security level at which the user chooses to work in the session. MAC then permits access to information, programs, and devices at the same or lower level only. MAC also prevents users from writing to files at lower levels. MAC cannot be overridden without special authorizations or privileges. Contrast with discretionary access control (DAC).

minimum label

A label that is assigned to a user as the lower bound of the set of labels at which that user can work. When a user first begins a Trusted Extensions session, the minimum label is the user's default label. At login, the user can choose a different label for the initial label.

Also, the lowest label that is permitted to any non-administrative user. The minimum label is assigned by the security administrator and defines the bottom of the user accreditation range.

network accreditation range

The set of labels within which Trusted Extensions hosts are permitted to communicate on a network. The set can be a list of four discrete labels.


A passive entity that contains or receives data, such as a data file, directory, printer, or other device. An object is acted upon by subjects. In some cases, a process can be an object, such as when you send a signal to a process.


A role that can be assigned to the user or users who are responsible for backing up systems.

ordinary user

A user who holds no special authorizations that allow exceptions from the standard security policies of the system. Typically, an ordinary user cannot assume an administrative role.


A set of codes that indicate which users are allowed to read, write, or execute the file or directory (folder). Users are classified as owner, group (the owner's group), and other (everyone else). Read permission (indicated by r) lets the user read the contents of a file or, if a directory, list the files in the folder. Write permission (w) lets the user make changes to a file or, if a folder, add or delete files. Execute permission (e) lets the user run the file if the file is executable. If the file is a directory, execute permission lets the user read or search the files in the directory. Also referred to as UNIX permissions or permission bits.

principle of least privilege

The security principle that restricts users to only those functions that are necessary to perform their jobs. The principle is applied in the Oracle Solaris OS by making privileges available to programs on an as-needed basis. Privileges are available on an as-needed basis for specific purposes only.


A security feature of the Oracle Solaris OS. A privilege is a permission that is granted to a program by the security administrator. A privilege can be required to override some aspect of security policy. See also authorization.

privileged process

A security feature of the Oracle Solaris OS. A privileged process runs with assigned has privileges.


A running program. Trusted Extensions processes have Oracle Solaris security attributes, such as user ID (UID), group ID (GID), the user's audit ID (AUID), and privileges. Trusted Extensions adds a label to every process.


See rights profile.

profile shell

A security feature of the Oracle Solaris OS. A version of the Bourne shell that enables a user to run programs with security attributes.

reading down

The ability of a subject to view an object whose label the subject dominates. Security policy generally allows reading down. For example, a text editor program that runs at Secret can read Unclassified data. See also mandatory access control (MAC).

rights profile

A security feature of the Oracle Solaris OS. A rights profile enables a site's security administrator to bundle commands with security attributes. Attributes such as user authorizations and privileges enable the commands to succeed. A rights profile generally contains related tasks. A profile can be assigned to users and to roles.


A security feature of the Oracle Solaris OS. A role is a special account that gives the user who assumes the role access to certain applications with the security attributes that are necessary for performing the specific tasks.

security administrator

On system that is configured with Trusted Extensions, the role that is assigned to the user or users who are responsible for defining and for enforcing security policy. The security administrator can work at any label in the system accreditation range, and potentially has access to all information at the site. The security administrator configures the security attributes for all users and equipment. See also label encodings file.

security attribute

A security feature of the Oracle Solaris OS. A property of an entity, such as a process, zone, user, or device, that is related to security. Security attributes include identification values such as user ID (UID) and group ID (GID). Attributes that are specific to Trusted Extensions include labels and label ranges. Note that only certain security attributes apply to a particular type of entity.

security policy

The set of DAC, MAC, and label rules that define how information can be accessed and by whom. At a customer site, the set of rules that defines the sensitivity of the information that is processed at that site. Policy includes the measures that are used to protect the information from unauthorized access.

Selection Manager

A trusted application of Trusted Extensions. This GUI appears when authorized users attempt to upgrade information or downgrade information.

sensitivity label

See label.


The time between logging in to a Trusted Extensions host and logging out from the host. The trusted stripe appears in all Trusted Extensions sessions to confirm that users are not being spoofed by a counterfeit system.

session clearance

A clearance set at login that defines the upper boundary of labels for a Trusted Extensions session. If the user is permitted to set the session clearance, the user can specify any value within the user's account label range. If the user's account is configured for forced single-level sessions, the session clearance is set to the default value specified by the security administrator. See also clearance.

session range

The set of labels that are available to a user during a Trusted Extensions session. The session range is bounded at the upper boundary by the user's session clearance and at the lower end by the minimum label.

single-level configuration

A user account that has been configured for operation at a single label only. Also called a single-level configuration.


To counterfeit a software program in order to illegally get access to information on a system.

strict dominance

See dominating label.


An active entity, usually a process that runs on behalf of a user or role. A subject causes information to flow among objects, or changes the system state.

system accreditation range

The set of all valid labels for a site. The set includes the administrative labels that are available to the site's security administrator and system administrator. The system accreditation range is defined in the label encodings file.

system administrator

A security feature of the Oracle Solaris OS. The System Administrator role can be assigned to the user or users who are responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. See also security administrator.

trusted application

An application that has been granted one or more privileges.

trusted computing base (TCB)

The part of a system that is configured with Trusted Extensions that affects security. The TCB includes software, hardware, firmware, documentation, and administrative procedures. Utility programs and application programs that can access security-related files are all part of the trusted computing base.

trusted facilities management

All activities associated with system administration in a conventional UNIX system, plus all of the administrative activities that are necessary to maintain the security of a distributed system and the data that the system contains.

Trusted GNOME

A labeled graphical desktop that includes a session manager, a window manager, and various desktop tools. The desktop is fully accessible.

trusted path

Refers to the mechanism for accessing actions and commands that are permitted to interact with the trusted computing base (TCB). See also Trusted Path menu, trusted symbol, and trusted stripe.

Trusted Path menu

A menu of Trusted Extensions operations that is displayed by holding down mouse button 3 over the switch area of the Front Panel. The menu selections fall into three categories: workspace-oriented selections, role assumption selections, and security-related tasks.

trusted stripe

A screen-wide rectangular graphic in a reserved area of the screen. The trusted stripe appears in all Trusted Extensions sessions to confirm valid Trusted Extensions sessions. The trusted stripe has two components: (1) a mandatory trusted symbol to indicate interaction with the trusted computing base (TCB), and (2) a label to indicate the label of the current window or workspace.

trusted symbol

The symbol that appears at the left of the trusted stripe area. The symbol is displayed whenever the user accesses any portion of the trusted computing base (TCB).

upgraded label

A label of an object that has been changed to a value that dominates the previous value of the label.

user accreditation range

The largest set of labels that the security administrator can potentially assign to a user at a specific site. The user accreditation range excludes the administrative labels and any label combinations that are available to administrators only. The user accreditation range is defined in the label encodings file.

user clearance

A clearance that is assigned by the security administrator. A user clearance defines the upper boundary of a user's account label range. The user's clearance determines the highest label at which the user is permitted to work. See also clearance and session clearance.

user ID (UID)

A security feature of the Oracle Solaris OS. A UID identifies a user for the purposes of discretionary access control (DAC), mandatory access control (MAC), and auditing. See also access permission.

well-formed label

A label that can be included in a range, because the label is permitted by all applicable rules in the label encodings file.


See labeled workspace.