This book covers the following topics:
Differences Between Trusted Solaris 8 Software and Solaris Trusted Extensions
Differences Between Solaris 10 8/07 Software and Solaris Trusted Extensions
SolarisTM Trusted Extensions software is a specific configuration of the Solaris Operating System (Solaris OS). Solaris Trusted Extensions (Trusted Extensions) provides labels for local objects and processes, for the desktop and windowing system, for zones and file systems, and for network communications. Trusted Extensions software is delivered in packages that are added to a version of the Solaris OS.
Trusted Extensions depends on features in the Solaris release to which the Trusted Extensions packages are added. Trusted Extensions software does not replace any Solaris components, but the software does modify certain policy settings.
Trusted Extensions administrators assign labels to hosts, zones, devices, and users. Trusted Extensions applies these labels to resources such as files, processes, network packets, and windows. The basis for applying these labels is the host or zone with which the resources are associated.
As in previous Trusted Solaris releases, the Solaris OS provides support for privileges, authorizations, and auditing. Trusted Extensions adds to the privileges, authorizations, rights profiles, audit classes, and audit events that the Solaris OS defines. As in previous releases, Trusted Extensions adds CDE actions to rights profiles.
As in previous releases, the software provides a trusted windowing system, desktop, and administration tools that extend Solaris functionality. Printing is modified to handle labeled print jobs. Also, Trusted Extensions provides a trusted version of the Sun JavaTM Desktop System. This trusted version is called Solaris Trusted Extensions (JDS).
Unlike Trusted Solaris software, Trusted Extensions is a configuration of the underlying Solaris OS. Trusted Extensions does not support the NIS+ naming service. LDAP is the recommended naming service for this release. Also, the root user in Trusted Extensions is identical to the root user in the Solaris OS. You can modify the root user as you can in the Solaris OS, that is, by turning the root user into a role.
Because of changes to the architecture, the following Trusted Solaris 8 features do not exist in Trusted Extensions. For a list of interface changes, see Appendix A, Interface Changes in the Solaris Trusted Extensions Release.
Forced and allowed privileges
Selected GUIs
Dialog boxes for setting privileges and labels in the File Manager
Enable Logins GUI
Password generator GUI
Kernel switch settings in /etc/system file
tsol_hide_upgraded_names |
tsol_clean_windows |
tsol_privs_debug |
tsol_flush_buffers |
Label and privilege attributes in ufs and tmpfs inodes
Mail delivery exceptions in sendmail.cf and the Rights tool
#0 LabelTooLow=return |
tsoltoolowreturn |
#0 LabelAdminLow=upgrade |
tsoladminlowupgrade |
Network labeling protocols – tsol, tsix, and ripso labels
Multilevel directory adornments, including MLDs and SLDs
NIS+ naming service for a Trusted Extensions domain
Packaging utilities, such as tsolinfo file
Trusted Solaris extensions to file system commands (Trusted NFS)
System_Admin actions for NIS+
tnidb database
t6 API
vfstab_adjunct file
Because of changes to the architecture, the following Trusted Solaris 8 features are visibly different in Trusted Extensions.
Privileges are called by name, not by number
Window label Trusted Path replaces ADMIN_LOW and ADMIN_HIGH
Trusted Path workspaces are used for ADMIN_LOW and ADMIN_HIGH tasks
Label attributes are not placed in exec_attr
tsol policy entry is not used in exec_attr
The following sections summarize the components that remain, the components that have changed, and the components that have been removed in the change from Trusted Solaris to Solaris Trusted Extensions software.
In Trusted Extensions, the audit classes for X events have been collapsed from six classes to four classes. The xa class and the xl class are removed. Events that were assigned to the xa class are in the ot class. Events that were assigned to the xl class are in the lo class. The bit masks of the remaining X audit classes have been changed from their Trusted Solaris 8 masks.
0x00800000:xc:X - object create/destroy 0x00400000:xp:X - privileged/administrative operations 0x01000000:xs:X - operations that always silently fail, if bad 0x01c00000:xx:X - all X events (meta-class |
In Trusted Extensions, the allocate and deallocate commands are only available to TCB (Trusted Computing Base) processes that run in the global zone. Ordinary users must use the Device Manager GUI to allocate and deallocate devices.
Trusted Extensions device policy uses the Solaris getdevpolicy and update_drv interfaces. The Trusted Solaris 8 device policies: data_mac_policy, attr_mac_policy, open_priv, and str_type have been removed.
Trusted Extensions provides no explicit mount attributes for specifying labels. The label of a mounted filesystem is the same as the label that is associated with the owning host or owning zone. Writing up is not permitted. Writing up is prevented by disallowing mounts of higher-labeled or disjointly labeled filesystems. Reading down is permitted. Reading down is enforced by restricting mounts of lower-labeled filesystems to be read-only.
The Trusted Extensions implementation for specifying security attributes on file systems follows the Solaris implementation. Therefore, files do not have forced privileges or allowed privileges. This implementation enables Trusted Extensions to support any file system that is supported by Solaris zones.
File relabeling is implemented by moving a file from one mounted file system to another file system.
As in the Trusted Solaris releases, Trusted Extensions provides a label_encodings file. Labels, label ranges, clearances, and defaults are defined in the label_encodings file.
In Trusted Extensions, the label_encodings file that is installed by default defines commercial labels, such as RESTRICTED and PUBLIC. In Trusted Solaris releases, the default label encodings file, label_encodings.multi, was a version of a U.S. Government encodings file.
In the Label Builder, labels are shown in long form instead of in short form. When choosing a session clearance or workspace label, Trusted Path is used instead of Admin Low or Admin High.
In Solaris Trusted Extensions, the label APIs that showed the internals of a label's structure are now obsolete. These label APIs have been replaced by the label_to_str() and str_to_label() functions. For the interfaces that are obsolete, and their replacement functions, see Table 7.
Also, CMW labels have been replaced by sensitivity labels. All CMW and IL (information label) interfaces have been removed.
In the Solaris Trusted Extensions release, each zone has an independent instance of sendmail. Therefore, mail cannot be upgraded. Users can send mail and can receive mail only at the label of the user's workspace.
Solaris Trusted Extensions uses LDAP as a naming service. In Trusted Extensions, NIS and NIS+ do not support the tnrhdb and tnrhtp databases. These naming services do not have a proxy server that can bind to a multilevel port (MLP). Therefore, the trusted networking databases cannot be reached from multiple zones concurrently.
Except for user passwords, LDAP data is considered public information. Therefore, any information in LDAP is not protected by a MAC policy. Instead, as in the Solaris OS, data is protected by an administrative policy. LDAP administrative policy is based on LDAP identities and passwords. When sensitivity labels are assigned as attributes of users and network endpoints, the labels are stored in an internal format. This format does not disclose classified information.
When an LDAP server is deployed as the naming service within a Trusted Extensions environment, the server must be configured to bind to a multilevel port (MLP) in the global zone.
Trusted Extensions can also be configured to rely on an existing LDAP infrastructure. In this case, an LDAP proxy server must be installed. This proxy server must be configured to bind to an MLP in the global zone of a system that is configured with Trusted Extensions. This Trusted Extensions system can then proxy multilevel requests from other zones and other hosts to the existing unlabeled LDAP server. The unlabeled server must be assigned the admin_low template in the tnrhdb of the proxy server.
To migrate NIS+ tables to LDAP entries, see the following man pages:
In the Solaris OS, named pipes are used as one-way conduits. In Trusted Extensions, named pipes permit write-up operations. The writer runs at a lower label than the reader's dominant label. In Trusted Solaris 8, named pipes were configured by upgrading the label of the FIFO to the reader's label. In Trusted Extensions, named pipes are configured by using read-only lofs mounts of directories in lower-level zones into dominant higher-level zones. The FIFO is created at the label of the zone of the writer. For more information, see the mkfifo(1M) man page.
Trusted Extensions does not support the TSIX or TSOL networking protocols. Trusted Extensions defines CIPSO-labeled templates and unlabeled templates in the tnrhtp database. The label ADMIN_HIGH is used as an upper bound, but is never transmitted as a CIPSO label. For more information, see Zones in Trusted Extensions.
The format of the tnrhtp database has been simplified because process attributes like privileges, user ids, and group ids are no longer supported. The format of the tnrhdb database is unchanged. The tnzonecfg database replaces the tnidb database, although the two databases are not equivalent.
The /etc/security/tsol/tnrhtp file that is installed with the Solaris Trusted Extensions release contains templates that can be used with any label_encodings file. The following table shows the correspondences between earlier versions of tnrhtp and the version that is shipped with the Solaris Trusted Extensions release.
Table 1 Template Names in the Trusted Solaris 8 and Solaris Trusted Extensions Releases
Trusted Solaris Template Name |
Trusted Extensions Name |
Note |
---|---|---|
cipso |
cipso |
For labeled hosts |
unlab |
admin_low |
For unlabeled hosts |
tsol, tsol_cipso, tsix |
None |
Use cipso template |
tsol_ripso, ripso_top_secret |
None |
Removed |
Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different.
Packets from unlabeled hosts that originate outside a Trusted Extensions domain can be labeled for trusted routing through the secure domain to another host outside the domain by using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb. Incoming packets are routed through the Trusted Extensions domain according to their sensitivity level and the trusted routing information. The sensitivity label is still carried in the IP option. The label is stripped when the packet exits the trusted domain. IPv6 now supports trusted routing.
Dynamic routing is not supported. Static routing is supported.
Trusted Extensions software does not require special packaging attributes. Therefore, the tsolinfo file is no longer used.
The PAM module for Trusted Extensions, pam_tsol_account.so.1, has only one module type and one function. The module is of type account, and the function checks the label range. The module has no options. No other Trusted Extensions-specific functions of PAM from Trusted Solaris 8 software are included in this release.
If a PAM stack for account in the Trusted Solaris 8 release did not have label_check_on in pam_tsol.so.1, then you do not need to add pam_tsol_account.so.1 to the corresponding stack in the Solaris Trusted Extensions release.
If a PAM stack for account in the Trusted Solaris 8 release did have label_check_on in pam_tsol.so.1, then the corresponding stack in the Solaris Trusted Extensions release should use pam_tsol_account.so.1 in the same place in the stack with no switches.
Trusted Extensions adds the allow_unlabeled option to PAM services. Together with the allow_remote option, administrators can manage headless systems remotely. For details, see the pam_roles(5) and pam_tsol_account(5) man pages.
PAM stacks for other module types should be used in the same manner for Trusted Extensions as for the Solaris OS. For more information, see the pam(3PAM) and pam.conf(4) man pages.
In Trusted Extensions, a process' clearance is the same as its sensitivity label. Write up is not supported.
There is no administrative distinction between ADMIN_HIGH and ADMIN_LOW workspaces. Therefore, such workspaces are displayed as Trusted Path.
The tsol policy in the exec_attr file is removed. Use the solaris policy.
Trusted Extensions supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. The global zone must have its own IP address to be a multilevel print service. To use the global zone's print server, a labeled zone must have a separate IP address from the global zone.
Only multilevel printers have a label range. A printer's label range can be restricted with the Device Allocation Manager.
In Trusted Solaris releases, banner and trailer pages were enabled by default. In Trusted Extensions, administrators run a printer model script to add banner and trailer pages with security information to a printer.
lpadmin -p printer -m printer-model-script |
Trusted Extensions adds four printer model scripts: tsol_standard, tsol_netstandard, tsol_standard_foomatic, and tsol_netstandard_foomatic.
The Solaris Management Console is no longer a multilevel service. The Solaris Management Console can only be contacted by clients that are running at the same label as the server. For most Trusted Extensions administration, access to the global zone is required. Because ordinary users are not permitted to log in to the global zone, only roles that are cleared for all labels can connect to the Solaris Management Console in the global zone.
The login sequence is slightly different, and a new dialog box, Last Login, contains security information for the login user. The Shutdown menu item has been replaced with the Suspend System menu item, which checks for user authorization, then runs the sys-suspend command.
The System_Admin folder has been renamed to the Trusted_Extensions folder.
The CDE actions in the Trusted_Extensions folder have been updated. The NIS+ actions have been removed. Actions for administering LDAP and labeled zones have been added.
Trusted Extensions uses zones for labeling. The global zone is an administrative zone, so is not available to users. The global zone is multilevel. The networking label of the global zone is ADMIN_LOW, but its process label is ADMIN_HIGH. Files that are private to the global zone are also labeled ADMIN_HIGH. Files that are shared with all zones are labeled ADMIN_LOW.
Each non-global zone has a unique label. Non-global zones are called labeled zones. Labeled zones are available to ordinary users. The global zone is available to roles only.
The Trusted Extensions policy for zones is different from Solaris policy. Trusted Extensions does not require a separate IP address per zone. However, all zones must have a single naming service. A single naming service provides all zones with a single set of users, UIDs, and GIDs.
Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. The /export directory of a zone can be read by any zone whose label dominates the label of the /export directory.
Only system processes and roles are allowed to execute in the global zone. In certain cases, privileged processes in the global zone can be exempt from aspects of MAC policy. For example, system processes and roles that have the file_dac_search privilege and the file_dac_read privilege can access files which belong to labeled zones.
Privileges in Trusted Extensions are coded to correspond to their Solaris counterparts. Privileges in Solaris software are implemented differently from privileges in previous Trusted Solaris releases.
Basic privileges are implemented. For example, proc_exec and proc_info are basic privileges.
Basic privileges do not override security policy, but rather enable use of the system. Without the proc_exec privilege, a user cannot use the system.
Privileges are not file attributes. Therefore, there are no allowed or forced privileges.
Default and limit privileges can be assigned to the initial shell of a user or of a role.
Privileges are called by name, not by number.
Therefore, privilege numbers are not used in function calls or in the exec_attr file.
Privilege macros are not used and have been removed.
Privileges interact with zones. Some privileges can be used in the global zone only, so are not available to ordinary users.
For correspondences between Trusted Solaris privileges and Trusted Extensions privileges, see Table 1 in Appendix A, Interface Changes in the Solaris Trusted Extensions Release, Table 10, and New Interfaces in Trusted Extensions Software. For a complete list of privileges, see the privileges(5) man page.
The Solaris Trusted Extensions release adds the following privileges:
net_bindmlp – Allows a process to bind to multilevel ports.
net_mac_aware – Allows a process to communicate with peers at labels that are different from its own.
The Trusted Solaris command runpd has been replaced by the Solaris ppriv -d command. For details, see the ppriv(1) man page. For examples, see How to Determine Which Privileges a Program Requires in System Administration Guide: Security Services.
On a system that is configured with Trusted Extensions, most Solaris user commands work as the commands work in the Solaris OS. Some command options apply to Trusted Extensions software only. Trusted Extensions also adds user commands. For a complete list, see New Interfaces in Trusted Extensions Software, Table 2, and Table 3.
On a system that is configured with Trusted Extensions, system administration commands work as follows:
Most Solaris system administration commands work as the commands work in the Solaris OS, for example, add_drv and share.
Some command options apply to Trusted Extensions software only, such as the -R option to netstat.
Because NIS+ is not a supported naming service for a Trusted Extensions environment, NIS+ administration commands are not modified for this release.
Some commands that are familiar to a Trusted Solaris 8 administrator have been modified, such as chk_encodings. For the changes, see the man pages.
For links to the man pages, see Table 4 and New Interfaces in Trusted Extensions Software.
On a system that is configured with Trusted Extensions, most Trusted Solaris system calls have been replaced by Solaris system calls. Some system calls are extended in Trusted Extensions software. For a complete list, see Table 5 and New Interfaces in Trusted Extensions Software.
On a system that is configured with Trusted Extensions, some functions have been modified. Some changes are due to architectural changes in the product. Some changes are due to removal of nonstandard interfaces.
The library functions for privileges that were provided by Trusted Solaris software have been replaced by Solaris functions. Label functions that manipulate CMW labels have been removed. Some label functions have been changed to make label structures opaque. Other label functions have been replaced by new label functions that make label structures opaque. Customers are encouraged to use the new interfaces when developing label-aware code for their sites.
For a complete list, see Table 6 and New Interfaces in Trusted Extensions Software.
Databases and files have been reformatted to correspond to technical changes. Unneeded files have been removed. For the list, see Table 9 and New Interfaces in Trusted Extensions Software.
On a system that is configured with Trusted Extensions, all Trusted Solaris device interfaces, and kernel functions for drivers have been replaced by Solaris functions. For the list, see Table 11.
Trusted Extensions builds on Solaris software, and can restrict the use of some Solaris utilities. The differences affect users, administrators, and developers. Configuration options that are optional on a Solaris system can be required by Trusted Extensions. For example, roles are required to administer the system, and the Solaris Management Console is required to administer users, roles, profiles, and the network. Zones must be installed, and each zone must be assigned a unique label.
Solaris Trusted Extensions installs as a set of packages on a newly installed Solaris 10 system. The following installation practices should be followed:
Earlier Trusted Solaris releases cannot be upgraded to the current release.
The software cannot be installed on a Solaris system that is already configured with non-global zones.
Solaris Trusted Extensions supports a trusted version of the Sun Java Desktop System, (Trusted JDS) as well as CDE. The Trusted CDE desktop continues to support the visible Trusted Solaris features, such as labels, trusted stripe, the Device Allocation Manager, the Admin Editor, and so on.
New administrative actions in CDE 1.7 are modified for security on the Trusted Extensions desktop. Actions that are unique to Trusted Extensions are in the Trusted_Extensions folder.
The Style Manager should not be run from the Application Manager when Trusted Extensions is configured, because the Style Manager requires the trusted path. Run the Style Manager from the Front Panel and the Workspace menu, where the Style Manager has the trusted path.
The contents of the Trusted_Extensions folder in the Application Manager has changed. Actions to administer zones have been added. NIS+ actions have been removed.
As in the Trusted Solaris 8 2/04 release, the CDE Workspace Menu can be customized to add actions. For details, see How to Customize the CDE Workspace Menu in Solaris Trusted Extensions User’s Guide.
Trusted Extensions adds CDE actions to the objects that can be assigned security attributes in the exec_attr database. CDE actions can be constrained by label by customizing the Workspace Menu to include only actions that are relevant to a specific label. To customize the menu, see How to Customize the CDE Workspace Menu in Solaris Trusted Extensions User’s Guide
Secure administration requires the use of GUIs that Trusted Extensions provides. Trusted Extensions provides actions in the Trusted_Extensions folder in CDE, a Device Allocation Manager, and the Solaris Management Console. Trusted Extensions adds tools and options to existing tools in the Solaris Management Console GUI. This GUI enables administrators to manage users, networks, zones, and other databases. After launching the Solaris Management Console, the administrator chooses a Trusted Extensions “toolbox”. The toolbox is a collection of programs. The administrator then uses the programs that are permitted to the role.
The Solaris OS provides three methods of managing devices: the Volume Manager (vold), logindevperm and device allocation. As in the Trusted Solaris 8 releases, Trusted Extensions supports only device allocation. The Device Allocation Manager GUI is used to create an allocatable device. All devices that are allocated to a zone get deallocated when that zone shuts down, halts, or reboots. Device allocation can be done remotely or in shell scripts only from the global zone.
The allocate, deallocate, and list_devices commands do not work in labeled zones for roles or ordinary users. Users and roles must use the Device Allocation Manager GUI to allocate, deallocate and list devices. Trusted Extensions adds the solaris.device.config authorization to configure devices.
To manage printers, use the Printer Administrator action in the System_Admin folder in the global zone. To limit the label range of a printer, use the Device Allocation Manager in the global zone.
Use the Solaris Management Console Devices and Hardware tool to manage serial lines and serial ports in the global zone. To limit the label range of removable media, use the Device Allocation Manager in the global zone.
The Solaris Trusted Extensions release adds privileged commands to the Device Security profile, and privileged actions to many profiles.
The Solaris Trusted Extensions release adds the following authorizations:
solaris.file.
solaris.label.
solaris.print.
solaris.smf.manage.labels
solaris.smf.manage.tnctl
solaris.smf.manage.tnd
solaris.smf.value.tnd
The Solaris Trusted Extensions release adds the following rights profiles:
All Actions
Basic Actions
Information Security
Object Label Management
Outside Accred
The Solaris Trusted Extensions release adds label authorizations and service management authorizations to the following rights profiles:
Maintenance and Repair
Printer Management
User Security
Network Management
Network Security
Together, the Information Security and the User Security rights profiles define the Security Administrator role.
The new interfaces in the Solaris Trusted Extensions release are listed in the following table by man page section number. The table includes some Solaris interfaces that perform critical functions for Trusted Extensions.
Only interfaces whose names have changed are included in the table. However, interfaces whose names have not changed might have different options or different functionality in this release. For a complete list, see Appendix A, Interface Changes in the Solaris Trusted Extensions Release.
Table 2 New Man Pages in Solaris Trusted Extensions Software
Man Page |
Note |
---|---|
Replaces getsldname. |
|
Trusted Extensions network databases are added to the LDAP directory server. |
|
Solaris command replaces Trusted Solaris commands that handled privileges. |
|
Manages trusted network zone configuration database. |
|
Trusted Extensions adds the NET_MAC_AWARE flag. |
|
Gets sensitivity label of file. |
|
Trusted Extensions adds the NET_MAC_AWARE flag. |
|
Determines if the system is configured with Trusted Extensions. |
|
Works as in Solaris OS. Replaces getpeerinfo(). |
|
Works as in Solaris OS. Replaces get_priv_text(). |
|
ucred_getlabel() reads the label on a process. |
|
Describes the libtsnet() interfaces. |
|
Describes the libtsol() interfaces. |
|
Gets the label range of a device. |
|
Gets the full pathname. Replaces mldrealpathl(). |
|
Gets the sensitivity label of a process. |
|
Gets the label range of a user. |
|
Gets the ID of a zone. |
|
Gets the label of a zone. |
|
Gets the full pathname of a zone. |
|
Converts labels to strings. Replaces bcltobanner() and other interfaces. |
|
m_label() is a placeholder for the allocation, duplication, and free functions. |
|
Manages storage for opaque labels. |
|
Duplicates a label. |
|
Frees storage for opaque labels. |
|
Replaces setcmwlabel(). |
|
Converts labels to strings. Replaces stobsl() and stobclear(). |
|
Gets the host type of the specified hostname. |
|
Works as in Solaris OS. Replaces door_tcred(). |
|
Trusted Extensions adds the SO_MAC_EXEMPT option. |
|
Is the local configuration file for the global zone and labeled zones. |
|
Is the policy file for window behavior. Replaces config.privs. |
|
Describes label policy. |
|
Is the PAM module for account authentication. |
|
Contains descriptions of new privileges, net_bindmlp and net_mac_aware. |