Networking in Trusted Extensions
Trusted Extensions does not support the TSIX or TSOL networking protocols. Trusted Extensions defines CIPSO-labeled templates and unlabeled templates in the tnrhtp database. The label ADMIN_HIGH is used as an upper bound, but is never transmitted as a CIPSO label. For more information, see Zones in Trusted Extensions.
The format of the tnrhtp database has been simplified because process attributes like privileges, user ids, and group ids are no longer supported. The format of the tnrhdb database is unchanged. The tnzonecfg database replaces the tnidb database, although the two databases are not equivalent.
The /etc/security/tsol/tnrhtp file that is installed with the Solaris Trusted Extensions release contains templates that can be used with any label_encodings file. The following table shows the correspondences between earlier versions of tnrhtp and the version that is shipped with the Solaris Trusted Extensions release.
Table 1 Template Names in the Trusted Solaris 8 and Solaris Trusted Extensions Releases|
Trusted Solaris Template Name |
Trusted Extensions Name |
Note |
|---|---|---|
|
cipso |
cipso |
For labeled hosts |
|
unlab |
admin_low |
For unlabeled hosts |
|
tsol, tsol_cipso, tsix |
None |
Use cipso template |
|
tsol_ripso, ripso_top_secret |
None |
Removed |
Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different.
Packets from unlabeled hosts that originate outside a Trusted Extensions domain can be labeled for trusted routing through the secure domain to another host outside the domain by using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb. Incoming packets are routed through the Trusted Extensions domain according to their sensitivity level and the trusted routing information. The sensitivity label is still carried in the IP option. The label is stripped when the packet exits the trusted domain. IPv6 now supports trusted routing.
Dynamic routing is not supported. Static routing is supported.
- © 2010, Oracle Corporation and/or its affiliates