The following sections summarize the components that remain, the components that have changed, and the components that have been removed in the change from Trusted Solaris to Solaris Trusted Extensions software.
In Trusted Extensions, the audit classes for X events have been collapsed from six classes to four classes. The xa class and the xl class are removed. Events that were assigned to the xa class are in the ot class. Events that were assigned to the xl class are in the lo class. The bit masks of the remaining X audit classes have been changed from their Trusted Solaris 8 masks.
0x00800000:xc:X - object create/destroy 0x00400000:xp:X - privileged/administrative operations 0x01000000:xs:X - operations that always silently fail, if bad 0x01c00000:xx:X - all X events (meta-class |
In Trusted Extensions, the allocate and deallocate commands are only available to TCB (Trusted Computing Base) processes that run in the global zone. Ordinary users must use the Device Manager GUI to allocate and deallocate devices.
Trusted Extensions device policy uses the Solaris getdevpolicy and update_drv interfaces. The Trusted Solaris 8 device policies: data_mac_policy, attr_mac_policy, open_priv, and str_type have been removed.
Trusted Extensions provides no explicit mount attributes for specifying labels. The label of a mounted filesystem is the same as the label that is associated with the owning host or owning zone. Writing up is not permitted. Writing up is prevented by disallowing mounts of higher-labeled or disjointly labeled filesystems. Reading down is permitted. Reading down is enforced by restricting mounts of lower-labeled filesystems to be read-only.
The Trusted Extensions implementation for specifying security attributes on file systems follows the Solaris implementation. Therefore, files do not have forced privileges or allowed privileges. This implementation enables Trusted Extensions to support any file system that is supported by Solaris zones.
File relabeling is implemented by moving a file from one mounted file system to another file system.
As in the Trusted Solaris releases, Trusted Extensions provides a label_encodings file. Labels, label ranges, clearances, and defaults are defined in the label_encodings file.
In Trusted Extensions, the label_encodings file that is installed by default defines commercial labels, such as RESTRICTED and PUBLIC. In Trusted Solaris releases, the default label encodings file, label_encodings.multi, was a version of a U.S. Government encodings file.
In the Label Builder, labels are shown in long form instead of in short form. When choosing a session clearance or workspace label, Trusted Path is used instead of Admin Low or Admin High.
In Solaris Trusted Extensions, the label APIs that showed the internals of a label's structure are now obsolete. These label APIs have been replaced by the label_to_str() and str_to_label() functions. For the interfaces that are obsolete, and their replacement functions, see Table 7.
Also, CMW labels have been replaced by sensitivity labels. All CMW and IL (information label) interfaces have been removed.
In the Solaris Trusted Extensions release, each zone has an independent instance of sendmail. Therefore, mail cannot be upgraded. Users can send mail and can receive mail only at the label of the user's workspace.
Solaris Trusted Extensions uses LDAP as a naming service. In Trusted Extensions, NIS and NIS+ do not support the tnrhdb and tnrhtp databases. These naming services do not have a proxy server that can bind to a multilevel port (MLP). Therefore, the trusted networking databases cannot be reached from multiple zones concurrently.
Except for user passwords, LDAP data is considered public information. Therefore, any information in LDAP is not protected by a MAC policy. Instead, as in the Solaris OS, data is protected by an administrative policy. LDAP administrative policy is based on LDAP identities and passwords. When sensitivity labels are assigned as attributes of users and network endpoints, the labels are stored in an internal format. This format does not disclose classified information.
When an LDAP server is deployed as the naming service within a Trusted Extensions environment, the server must be configured to bind to a multilevel port (MLP) in the global zone.
Trusted Extensions can also be configured to rely on an existing LDAP infrastructure. In this case, an LDAP proxy server must be installed. This proxy server must be configured to bind to an MLP in the global zone of a system that is configured with Trusted Extensions. This Trusted Extensions system can then proxy multilevel requests from other zones and other hosts to the existing unlabeled LDAP server. The unlabeled server must be assigned the admin_low template in the tnrhdb of the proxy server.
To migrate NIS+ tables to LDAP entries, see the following man pages:
In the Solaris OS, named pipes are used as one-way conduits. In Trusted Extensions, named pipes permit write-up operations. The writer runs at a lower label than the reader's dominant label. In Trusted Solaris 8, named pipes were configured by upgrading the label of the FIFO to the reader's label. In Trusted Extensions, named pipes are configured by using read-only lofs mounts of directories in lower-level zones into dominant higher-level zones. The FIFO is created at the label of the zone of the writer. For more information, see the mkfifo(1M) man page.
Trusted Extensions does not support the TSIX or TSOL networking protocols. Trusted Extensions defines CIPSO-labeled templates and unlabeled templates in the tnrhtp database. The label ADMIN_HIGH is used as an upper bound, but is never transmitted as a CIPSO label. For more information, see Zones in Trusted Extensions.
The format of the tnrhtp database has been simplified because process attributes like privileges, user ids, and group ids are no longer supported. The format of the tnrhdb database is unchanged. The tnzonecfg database replaces the tnidb database, although the two databases are not equivalent.
The /etc/security/tsol/tnrhtp file that is installed with the Solaris Trusted Extensions release contains templates that can be used with any label_encodings file. The following table shows the correspondences between earlier versions of tnrhtp and the version that is shipped with the Solaris Trusted Extensions release.
Table 1 Template Names in the Trusted Solaris 8 and Solaris Trusted Extensions Releases
Trusted Solaris Template Name |
Trusted Extensions Name |
Note |
---|---|---|
cipso |
cipso |
For labeled hosts |
unlab |
admin_low |
For unlabeled hosts |
tsol, tsol_cipso, tsix |
None |
Use cipso template |
tsol_ripso, ripso_top_secret |
None |
Removed |
Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different.
Packets from unlabeled hosts that originate outside a Trusted Extensions domain can be labeled for trusted routing through the secure domain to another host outside the domain by using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb. Incoming packets are routed through the Trusted Extensions domain according to their sensitivity level and the trusted routing information. The sensitivity label is still carried in the IP option. The label is stripped when the packet exits the trusted domain. IPv6 now supports trusted routing.
Dynamic routing is not supported. Static routing is supported.
Trusted Extensions software does not require special packaging attributes. Therefore, the tsolinfo file is no longer used.
The PAM module for Trusted Extensions, pam_tsol_account.so.1, has only one module type and one function. The module is of type account, and the function checks the label range. The module has no options. No other Trusted Extensions-specific functions of PAM from Trusted Solaris 8 software are included in this release.
If a PAM stack for account in the Trusted Solaris 8 release did not have label_check_on in pam_tsol.so.1, then you do not need to add pam_tsol_account.so.1 to the corresponding stack in the Solaris Trusted Extensions release.
If a PAM stack for account in the Trusted Solaris 8 release did have label_check_on in pam_tsol.so.1, then the corresponding stack in the Solaris Trusted Extensions release should use pam_tsol_account.so.1 in the same place in the stack with no switches.
Trusted Extensions adds the allow_unlabeled option to PAM services. Together with the allow_remote option, administrators can manage headless systems remotely. For details, see the pam_roles(5) and pam_tsol_account(5) man pages.
PAM stacks for other module types should be used in the same manner for Trusted Extensions as for the Solaris OS. For more information, see the pam(3PAM) and pam.conf(4) man pages.
In Trusted Extensions, a process' clearance is the same as its sensitivity label. Write up is not supported.
There is no administrative distinction between ADMIN_HIGH and ADMIN_LOW workspaces. Therefore, such workspaces are displayed as Trusted Path.
The tsol policy in the exec_attr file is removed. Use the solaris policy.
Trusted Extensions supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. The global zone must have its own IP address to be a multilevel print service. To use the global zone's print server, a labeled zone must have a separate IP address from the global zone.
Only multilevel printers have a label range. A printer's label range can be restricted with the Device Allocation Manager.
In Trusted Solaris releases, banner and trailer pages were enabled by default. In Trusted Extensions, administrators run a printer model script to add banner and trailer pages with security information to a printer.
lpadmin -p printer -m printer-model-script |
Trusted Extensions adds four printer model scripts: tsol_standard, tsol_netstandard, tsol_standard_foomatic, and tsol_netstandard_foomatic.
The Solaris Management Console is no longer a multilevel service. The Solaris Management Console can only be contacted by clients that are running at the same label as the server. For most Trusted Extensions administration, access to the global zone is required. Because ordinary users are not permitted to log in to the global zone, only roles that are cleared for all labels can connect to the Solaris Management Console in the global zone.
The login sequence is slightly different, and a new dialog box, Last Login, contains security information for the login user. The Shutdown menu item has been replaced with the Suspend System menu item, which checks for user authorization, then runs the sys-suspend command.
The System_Admin folder has been renamed to the Trusted_Extensions folder.
The CDE actions in the Trusted_Extensions folder have been updated. The NIS+ actions have been removed. Actions for administering LDAP and labeled zones have been added.
Trusted Extensions uses zones for labeling. The global zone is an administrative zone, so is not available to users. The global zone is multilevel. The networking label of the global zone is ADMIN_LOW, but its process label is ADMIN_HIGH. Files that are private to the global zone are also labeled ADMIN_HIGH. Files that are shared with all zones are labeled ADMIN_LOW.
Each non-global zone has a unique label. Non-global zones are called labeled zones. Labeled zones are available to ordinary users. The global zone is available to roles only.
The Trusted Extensions policy for zones is different from Solaris policy. Trusted Extensions does not require a separate IP address per zone. However, all zones must have a single naming service. A single naming service provides all zones with a single set of users, UIDs, and GIDs.
Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. The /export directory of a zone can be read by any zone whose label dominates the label of the /export directory.
Only system processes and roles are allowed to execute in the global zone. In certain cases, privileged processes in the global zone can be exempt from aspects of MAC policy. For example, system processes and roles that have the file_dac_search privilege and the file_dac_read privilege can access files which belong to labeled zones.
Privileges in Trusted Extensions are coded to correspond to their Solaris counterparts. Privileges in Solaris software are implemented differently from privileges in previous Trusted Solaris releases.
Basic privileges are implemented. For example, proc_exec and proc_info are basic privileges.
Basic privileges do not override security policy, but rather enable use of the system. Without the proc_exec privilege, a user cannot use the system.
Privileges are not file attributes. Therefore, there are no allowed or forced privileges.
Default and limit privileges can be assigned to the initial shell of a user or of a role.
Privileges are called by name, not by number.
Therefore, privilege numbers are not used in function calls or in the exec_attr file.
Privilege macros are not used and have been removed.
Privileges interact with zones. Some privileges can be used in the global zone only, so are not available to ordinary users.
For correspondences between Trusted Solaris privileges and Trusted Extensions privileges, see Table 1 in Appendix A, Interface Changes in the Solaris Trusted Extensions Release, Table 10, and New Interfaces in Trusted Extensions Software. For a complete list of privileges, see the privileges(5) man page.
The Solaris Trusted Extensions release adds the following privileges:
net_bindmlp – Allows a process to bind to multilevel ports.
net_mac_aware – Allows a process to communicate with peers at labels that are different from its own.
The Trusted Solaris command runpd has been replaced by the Solaris ppriv -d command. For details, see the ppriv(1) man page. For examples, see How to Determine Which Privileges a Program Requires in System Administration Guide: Security Services.
On a system that is configured with Trusted Extensions, most Solaris user commands work as the commands work in the Solaris OS. Some command options apply to Trusted Extensions software only. Trusted Extensions also adds user commands. For a complete list, see New Interfaces in Trusted Extensions Software, Table 2, and Table 3.
On a system that is configured with Trusted Extensions, system administration commands work as follows:
Most Solaris system administration commands work as the commands work in the Solaris OS, for example, add_drv and share.
Some command options apply to Trusted Extensions software only, such as the -R option to netstat.
Because NIS+ is not a supported naming service for a Trusted Extensions environment, NIS+ administration commands are not modified for this release.
Some commands that are familiar to a Trusted Solaris 8 administrator have been modified, such as chk_encodings. For the changes, see the man pages.
For links to the man pages, see Table 4 and New Interfaces in Trusted Extensions Software.
On a system that is configured with Trusted Extensions, most Trusted Solaris system calls have been replaced by Solaris system calls. Some system calls are extended in Trusted Extensions software. For a complete list, see Table 5 and New Interfaces in Trusted Extensions Software.
On a system that is configured with Trusted Extensions, some functions have been modified. Some changes are due to architectural changes in the product. Some changes are due to removal of nonstandard interfaces.
The library functions for privileges that were provided by Trusted Solaris software have been replaced by Solaris functions. Label functions that manipulate CMW labels have been removed. Some label functions have been changed to make label structures opaque. Other label functions have been replaced by new label functions that make label structures opaque. Customers are encouraged to use the new interfaces when developing label-aware code for their sites.
For a complete list, see Table 6 and New Interfaces in Trusted Extensions Software.
Databases and files have been reformatted to correspond to technical changes. Unneeded files have been removed. For the list, see Table 9 and New Interfaces in Trusted Extensions Software.
On a system that is configured with Trusted Extensions, all Trusted Solaris device interfaces, and kernel functions for drivers have been replaced by Solaris functions. For the list, see Table 11.