JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Administrator's Procedures     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


1.  Trusted Extensions Administration Concepts

2.  Trusted Extensions Administration Tools

3.  Getting Started as a Trusted Extensions Administrator (Tasks)

4.  Security Requirements on a Trusted Extensions System (Overview)

5.  Administering Security Requirements in Trusted Extensions (Tasks)

6.  Users, Rights, and Roles in Trusted Extensions (Overview)

7.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

8.  Remote Administration in Trusted Extensions (Tasks)

9.  Trusted Extensions and LDAP (Overview)

10.  Managing Zones in Trusted Extensions (Tasks)

11.  Managing and Mounting Files in Trusted Extensions (Tasks)

12.  Trusted Networking (Overview)

The Trusted Network

Trusted Extensions Data Packets

Trusted Network Communications

Network Configuration Databases in Trusted Extensions

Network Commands in Trusted Extensions

Trusted Network Security Attributes

Network Security Attributes in Trusted Extensions

Host Type and Template Name in Security Templates

Default Label in Security Templates

Domain of Interpretation in Security Templates

Label Range in Security Templates

Security Label Set in Security Templates

Trusted Network Fallback Mechanism

Overview of Routing in Trusted Extensions

Background on Routing

Routing Table Entries in Trusted Extensions

Trusted Extensions Accreditation Checks

Source Accreditation Checks

Gateway Accreditation Checks

Destination Accreditation Checks

Administration of Routing in Trusted Extensions

Choosing Routers in Trusted Extensions

Gateways in Trusted Extensions

Routing Commands in Trusted Extensions

13.  Managing Networks in Trusted Extensions (Tasks)

14.  Multilevel Mail in Trusted Extensions (Overview)

15.  Managing Labeled Printing (Tasks)

16.  Devices in Trusted Extensions (Overview)

17.  Managing Devices for Trusted Extensions (Tasks)

18.  Trusted Extensions Auditing (Overview)

19.  Software Management in Trusted Extensions (Tasks)

A.  Quick Reference to Trusted Extensions Administration

B.  List of Trusted Extensions Man Pages


Network Security Attributes in Trusted Extensions

Trusted Extensions is installed with a default set of security templates. When a template is assigned to a host, the security values in the template are applied to the host. In Trusted Extensions, both unlabeled hosts and labeled hosts on the network are assigned security attributes by means of a template. Hosts that are not assigned a security template cannot be reached. The templates can be stored locally, or in the LDAP naming service on the Oracle Directory Server Enterprise Edition.

Templates can be assigned directly or indirectly to a host. Direct assignment assigns a template to a particular IP address. Indirect assignment assigns a template to a network address that includes the host. Hosts that do not have a security template cannot communicate with hosts that are configured with Trusted Extensions. For an explanation of direct assignment and indirect assignment, see Trusted Network Fallback Mechanism.

Templates are modified or created by using the Security Templates tool in the Solaris Management Console. The Security Templates tool enforces the completion of the required fields in the templates. Which fields are required is based on the host type.

Each host type has its own set of additional required and optional security attributes. The following security attributes are specified in security templates:

Host Type and Template Name in Security Templates

Trusted Extensions supports two host types in the trusted network databases and provides two default templates:


Caution - The admin_low template provides an example for constructing unlabeled templates with site-specific labels. While the admin_low template is required for the installation of Trusted Extensions, the security settings might not be appropriate for normal system operations. Retain the provided templates without modification for system maintenance and support reasons.

Default Label in Security Templates

Templates for the unlabeled host type specify a default label. This label is used to control communications with hosts whose operating systems are not aware of labels, such as Oracle Solaris systems. The default label that is assigned reflects the level of trust that is appropriate for the host and its users.

Because communications with unlabeled hosts are essentially limited to the default label, these hosts are also referred to as single-label hosts.

Domain of Interpretation in Security Templates

Organizations that use the same Domain of Interpretation (DOI) agree among themselves to interpret label information and other security attributes in the same way. When Trusted Extensions performs a label comparison, a check is made as to whether the DOI is equal.

A Trusted Extensions system enforces label policy on one DOI value. All zones on a Trusted Extensions system must operate at the same DOI. A Trusted Extensions system does not provide exception handling on packets that are received from a system that uses a different DOI.

If your site uses a DOI value that is different from the default value, you must add this value to the /etc/system file, and change the value in every security template. For the initial procedure, see Configure the Domain of Interpretation in Oracle Solaris Trusted Extensions Configuration Guide. To configure the DOI in every security template, see Example 13-1.

Label Range in Security Templates

The minimum label and maximum label attributes are used to establish the label range for labeled and unlabeled hosts. These attributes are used to do the following:

Security Label Set in Security Templates

The security label set defines at most four discrete labels at which packets can be accepted, forwarded, or sent by the remote host. This attribute is optional. By default, no security label set is defined.