Solaris Trusted Extensions Transition Guide

Differences Between Trusted Solaris 8 Software and Solaris Trusted Extensions

The following sections summarize the components that remain, the components that have changed, and the components that have been removed in the change from Trusted Solaris to Solaris Trusted Extensions software.

Audit Events and Classes in Trusted Extensions

In Trusted Extensions, the audit classes for X events have been collapsed from six classes to four classes. The xa class and the xl class are removed. Events that were assigned to the xa class are in the ot class. Events that were assigned to the xl class are in the lo class. The bit masks of the remaining X audit classes have been changed from their Trusted Solaris 8 masks.


0x00800000:xc:X - object create/destroy
0x00400000:xp:X - privileged/administrative operations
0x01000000:xs:X - operations that always silently fail, if bad
0x01c00000:xx:X - all X events (meta-class

Device Management in Trusted Extensions

In Trusted Extensions, the allocate and deallocate commands are only available to TCB (Trusted Computing Base) processes that run in the global zone. Ordinary users must use the Device Manager GUI to allocate and deallocate devices.

Trusted Extensions device policy uses the Solaris getdevpolicy and update_drv interfaces. The Trusted Solaris 8 device policies: data_mac_policy, attr_mac_policy, open_priv, and str_type have been removed.

Files and File System Mounting in Trusted Extensions

Trusted Extensions provides no explicit mount attributes for specifying labels. The label of a mounted filesystem is the same as the label that is associated with the owning host or owning zone. Writing up is not permitted. Writing up is prevented by disallowing mounts of higher-labeled or disjointly labeled filesystems. Reading down is permitted. Reading down is enforced by restricting mounts of lower-labeled filesystems to be read-only.

The Trusted Extensions implementation for specifying security attributes on file systems follows the Solaris implementation. Therefore, files do not have forced privileges or allowed privileges. This implementation enables Trusted Extensions to support any file system that is supported by Solaris zones.

File relabeling is implemented by moving a file from one mounted file system to another file system.

Labels in Trusted Extensions

As in the Trusted Solaris releases, Trusted Extensions provides a label_encodings file. Labels, label ranges, clearances, and defaults are defined in the label_encodings file.

In Trusted Extensions, the label_encodings file that is installed by default defines commercial labels, such as RESTRICTED and PUBLIC. In Trusted Solaris releases, the default label encodings file, label_encodings.multi, was a version of a U.S. Government encodings file.

In the Label Builder, labels are shown in long form instead of in short form. When choosing a session clearance or workspace label, Trusted Path is used instead of Admin Low or Admin High.

Label APIs in Trusted Extensions

In Solaris Trusted Extensions, the label APIs that showed the internals of a label's structure are now obsolete. These label APIs have been replaced by the label_to_str() and str_to_label() functions. For the interfaces that are obsolete, and their replacement functions, see Table 7.

Also, CMW labels have been replaced by sensitivity labels. All CMW and IL (information label) interfaces have been removed.

Mail in Trusted Extensions

In the Solaris Trusted Extensions release, each zone has an independent instance of sendmail. Therefore, mail cannot be upgraded. Users can send mail and can receive mail only at the label of the user's workspace.

LDAP Naming Service in Trusted Extensions

Solaris Trusted Extensions uses LDAP as a naming service. In Trusted Extensions, NIS and NIS+ do not support the tnrhdb and tnrhtp databases. These naming services do not have a proxy server that can bind to a multilevel port (MLP). Therefore, the trusted networking databases cannot be reached from multiple zones concurrently.

Except for user passwords, LDAP data is considered public information. Therefore, any information in LDAP is not protected by a MAC policy. Instead, as in the Solaris OS, data is protected by an administrative policy. LDAP administrative policy is based on LDAP identities and passwords. When sensitivity labels are assigned as attributes of users and network endpoints, the labels are stored in an internal format. This format does not disclose classified information.

When an LDAP server is deployed as the naming service within a Trusted Extensions environment, the server must be configured to bind to a multilevel port (MLP) in the global zone.

Trusted Extensions can also be configured to rely on an existing LDAP infrastructure. In this case, an LDAP proxy server must be installed. This proxy server must be configured to bind to an MLP in the global zone of a system that is configured with Trusted Extensions. This Trusted Extensions system can then proxy multilevel requests from other zones and other hosts to the existing unlabeled LDAP server. The unlabeled server must be assigned the admin_low template in the tnrhdb of the proxy server.

To migrate NIS+ tables to LDAP entries, see the following man pages:

Named Pipes in Trusted Extensions

In the Solaris OS, named pipes are used as one-way conduits. In Trusted Extensions, named pipes permit write-up operations. The writer runs at a lower label than the reader's dominant label. In Trusted Solaris 8, named pipes were configured by upgrading the label of the FIFO to the reader's label. In Trusted Extensions, named pipes are configured by using read-only lofs mounts of directories in lower-level zones into dominant higher-level zones. The FIFO is created at the label of the zone of the writer. For more information, see the mkfifo(1M) man page.

Networking in Trusted Extensions

Trusted Extensions does not support the TSIX or TSOL networking protocols. Trusted Extensions defines CIPSO-labeled templates and unlabeled templates in the tnrhtp database. The label ADMIN_HIGH is used as an upper bound, but is never transmitted as a CIPSO label. For more information, see Zones in Trusted Extensions.

The format of the tnrhtp database has been simplified because process attributes like privileges, user ids, and group ids are no longer supported. The format of the tnrhdb database is unchanged. The tnzonecfg database replaces the tnidb database, although the two databases are not equivalent.

The /etc/security/tsol/tnrhtp file that is installed with the Solaris Trusted Extensions release contains templates that can be used with any label_encodings file. The following table shows the correspondences between earlier versions of tnrhtp and the version that is shipped with the Solaris Trusted Extensions release.

Table 1 Template Names in the Trusted Solaris 8 and Solaris Trusted Extensions Releases

Trusted Solaris Template Name 

Trusted Extensions Name 

Note 

cipso

cipso

For labeled hosts 

unlab

admin_low

For unlabeled hosts 

tsol, tsol_cipso, tsix

None 

Use cipso template

tsol_ripso, ripso_top_secret

None 

Removed 

Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different.

Packets from unlabeled hosts that originate outside a Trusted Extensions domain can be labeled for trusted routing through the secure domain to another host outside the domain by using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb. Incoming packets are routed through the Trusted Extensions domain according to their sensitivity level and the trusted routing information. The sensitivity label is still carried in the IP option. The label is stripped when the packet exits the trusted domain. IPv6 now supports trusted routing.

Dynamic routing is not supported. Static routing is supported.

Packaging in Trusted Extensions

Trusted Extensions software does not require special packaging attributes. Therefore, the tsolinfo file is no longer used.

PAM in Trusted Extensions

The PAM module for Trusted Extensions, pam_tsol_account.so.1, has only one module type and one function. The module is of type account, and the function checks the label range. The module has no options. No other Trusted Extensions-specific functions of PAM from Trusted Solaris 8 software are included in this release.

Trusted Extensions adds the allow_unlabeled option to PAM services. Together with the allow_remote option, administrators can manage headless systems remotely. For details, see the pam_roles(5) and pam_tsol_account(5) man pages.

PAM stacks for other module types should be used in the same manner for Trusted Extensions as for the Solaris OS. For more information, see the pam(3PAM) and pam.conf(4) man pages.

Policy in Trusted Extensions

In Trusted Extensions, a process' clearance is the same as its sensitivity label. Write up is not supported.

There is no administrative distinction between ADMIN_HIGH and ADMIN_LOW workspaces. Therefore, such workspaces are displayed as Trusted Path.

The tsol policy in the exec_attr file is removed. Use the solaris policy.

Printing in Trusted Extensions

Trusted Extensions supports both single-level and multilevel printing. Multilevel printing is implemented in the global zone only. The global zone must have its own IP address to be a multilevel print service. To use the global zone's print server, a labeled zone must have a separate IP address from the global zone.

Only multilevel printers have a label range. A printer's label range can be restricted with the Device Allocation Manager.

In Trusted Solaris releases, banner and trailer pages were enabled by default. In Trusted Extensions, administrators run a printer model script to add banner and trailer pages with security information to a printer.


lpadmin -p printer -m printer-model-script

Trusted Extensions adds four printer model scripts: tsol_standard, tsol_netstandard, tsol_standard_foomatic, and tsol_netstandard_foomatic.

Solaris Management Console in Trusted Extensions

The Solaris Management Console is no longer a multilevel service. The Solaris Management Console can only be contacted by clients that are running at the same label as the server. For most Trusted Extensions administration, access to the global zone is required. Because ordinary users are not permitted to log in to the global zone, only roles that are cleared for all labels can connect to the Solaris Management Console in the global zone.

Window System and CDE in Trusted Extensions

The login sequence is slightly different, and a new dialog box, Last Login, contains security information for the login user. The Shutdown menu item has been replaced with the Suspend System menu item, which checks for user authorization, then runs the sys-suspend command.

The System_Admin folder has been renamed to the Trusted_Extensions folder.

The CDE actions in the Trusted_Extensions folder have been updated. The NIS+ actions have been removed. Actions for administering LDAP and labeled zones have been added.

Zones in Trusted Extensions

Trusted Extensions uses zones for labeling. The global zone is an administrative zone, so is not available to users. The global zone is multilevel. The networking label of the global zone is ADMIN_LOW, but its process label is ADMIN_HIGH. Files that are private to the global zone are also labeled ADMIN_HIGH. Files that are shared with all zones are labeled ADMIN_LOW.

Each non-global zone has a unique label. Non-global zones are called labeled zones. Labeled zones are available to ordinary users. The global zone is available to roles only.

The Trusted Extensions policy for zones is different from Solaris policy. Trusted Extensions does not require a separate IP address per zone. However, all zones must have a single naming service. A single naming service provides all zones with a single set of users, UIDs, and GIDs.

Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. The /export directory of a zone can be read by any zone whose label dominates the label of the /export directory.

Only system processes and roles are allowed to execute in the global zone. In certain cases, privileged processes in the global zone can be exempt from aspects of MAC policy. For example, system processes and roles that have the file_dac_search privilege and the file_dac_read privilege can access files which belong to labeled zones.

Privileges in Trusted Extensions

Privileges in Trusted Extensions are coded to correspond to their Solaris counterparts. Privileges in Solaris software are implemented differently from privileges in previous Trusted Solaris releases.

For correspondences between Trusted Solaris privileges and Trusted Extensions privileges, see Table 1 in Appendix A, Interface Changes in the Solaris Trusted Extensions Release, Table 10, and New Interfaces in Trusted Extensions Software. For a complete list of privileges, see the privileges(5) man page.

The Solaris Trusted Extensions release adds the following privileges:

The Trusted Solaris command runpd has been replaced by the Solaris ppriv -d command. For details, see the ppriv(1) man page. For examples, see How to Determine Which Privileges a Program Requires in System Administration Guide: Security Services.

Trusted Extensions User Commands

On a system that is configured with Trusted Extensions, most Solaris user commands work as the commands work in the Solaris OS. Some command options apply to Trusted Extensions software only. Trusted Extensions also adds user commands. For a complete list, see New Interfaces in Trusted Extensions Software, Table 2, and Table 3.

Trusted Extensions System Administration Commands

On a system that is configured with Trusted Extensions, system administration commands work as follows:

Trusted Extensions System Calls

On a system that is configured with Trusted Extensions, most Trusted Solaris system calls have been replaced by Solaris system calls. Some system calls are extended in Trusted Extensions software. For a complete list, see Table 5 and New Interfaces in Trusted Extensions Software.

Trusted Extensions Library Functions

On a system that is configured with Trusted Extensions, some functions have been modified. Some changes are due to architectural changes in the product. Some changes are due to removal of nonstandard interfaces.

The library functions for privileges that were provided by Trusted Solaris software have been replaced by Solaris functions. Label functions that manipulate CMW labels have been removed. Some label functions have been changed to make label structures opaque. Other label functions have been replaced by new label functions that make label structures opaque. Customers are encouraged to use the new interfaces when developing label-aware code for their sites.

For a complete list, see Table 6 and New Interfaces in Trusted Extensions Software.

Trusted Extensions Databases and Files

Databases and files have been reformatted to correspond to technical changes. Unneeded files have been removed. For the list, see Table 9 and New Interfaces in Trusted Extensions Software.

Trusted Extensions Devices and Drivers

On a system that is configured with Trusted Extensions, all Trusted Solaris device interfaces, and kernel functions for drivers have been replaced by Solaris functions. For the list, see Table 11.