How the Trusted Solaris Environment Keeps Labeled Information Separate

The Trusted Solaris environment helps keep information at different labels separate by:

• Letting users select single- or multi-level sessions

• Providing labeled workspaces

• Storing files in separate directories according to label

• Enforcing MAC for email transactions

• Clearing objects prior to reuse

Single- or Multi-level Sessions

When you first log into a Trusted Solaris session, you specify whether you will be operating at a single label or at multiple labels. You then set your session clearance or session label. This is the security level at which you intend to operate.

In a single-level session, you can access only those objects at or dominated by your session label.

In a multi-level session, you can access information at different sensitivity levels, as long as they are at or lower than your session clearance. In the Trusted Solaris environment, you can specify different labels for different workspaces.

Session Selection Example

Table 1-2 provides an example of the difference between a single- and multi-level session. It contrasts a user choosing to operate in a single-level session at SECRET A with a user selecting a multi-level session, also at SECRET A. Note that labels are shown in their long form inside square brackets ([]).

The three columns on the left show the user's session selections at login. Note that users set session labels for single-level sessions and session clearances for multi-level sessions. (This is a minor distinction that is taken care of by the system; the correct label builder dialog box is always displayed with the choices permitted.)

The two columns on the right show the label values available in the session. The Initial Workspace label column represents the label when the user first enters the Trusted Solaris environment. The Available Labels column lists the labels that the user is permitted to switch to in the session.

In the first row of the table, the user has selected a single-level session with a session label of [S A]. In the Trusted Solaris environment, the user has an initial workspace label of [S A] which is also the only label at which the user can operate.

In the second row of the table, the user has selected a multi-level session with a session clearance of [S A]. The user's initial workspace label is set to [U], that is, a label of [UNCLASSIFIED], because that is the lowest possible label in the user's account label range. The user can switch to any label between [U], the minimum, and [S A], the session clearance.

Labeled Workspaces

The workspaces in the Trusted Solaris environment are accessed through buttons in the front panel, just as in the standard Solaris operating environment. However, in the Trusted Solaris environment, you can devote a workspace entirely to a single label. This is very convenient when you are in a multi-level session and do not want to move information between files at different labels.

Storing Files in Separate Directories by Labels

The Trusted Solaris environment provides two special types of directories for storing files and subdirectories with different labels and keeping them separate:

• Multi-level directory (MLD) - A special type of directory that transparently stores information by label in separate subdirectories called single-level directories. Your administrator typically creates your home directory as multi-level directory.

• Single-level directory (SLD) - A hidden subdirectory within a multi-level directory containing files and, optionally, subdirectories at a single label only.

When you attempt to view or access files in a multi-level directory (either through an application such as File Manager or through a shell using standard commands), only those files that are at your current label are visible and accessible. If you keep files at different labels in your home directory, for example, you cannot normally view files at labels other than your current label.

The following figure illustrates the concept of hidden single-level directories within a multi-level directory. The top part of the figure shows the contents of a multi-level home directory called /myHomeDir from the user's view while working at Confidential A B. The lower part of the figure shows the user at Secret A B. Dashed lines and unbolded text indicate hidden directories and files; the solid lines and bolded text indicate visible ones. (Note that the labels associated with the single-level directories are shown in their short form inside parentheses. The labels do not actually appear in the directory names.)

Figure 1-4 SLD Subdirectories

While working at Confidential A B, the user has the following results when trying to list the contents of the /myHomeDir directory:

% pwd
/myhomedir
% ls
file1

At Secret A B, the user sees these results:

% pwd
/myhomedir
% ls
file2    file3

Enforcing MAC for Email Transactions

The Trusted Solaris environment enforces mandatory access control whenever you use email. When you send email, the Trusted Solaris environment prevents users with insufficiently high clearance from receiving it. On the receiving end, email is sorted by the labels within your account range. Your current label must be at the same level as the email message you intend to read; otherwise, you must change your current label.

Clearing Objects Prior to Reuse

The Trusted Solaris environment prevents inadvertent exposure of sensitive information by automatically clearing (erasing) user-accessible objects, such as memory and disk space, prior to reuse. Processes on the system continuously allocate, deallocate, and reuse objects, such as memory and disk space. Failure to erase sensitive data prior to reuse of the object risks exposing the data to inappropriate users. Through device deallocation, Trusted Solaris clears all user-accessible objects prior to allocating them to processes. Note, however, that you must clear any removable storage medium (floppy disk, magnetic tape, and the like) before another user can have access to it.