Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

About Process Labels and Clearances in Oracle Solaris

Oracle Solaris labels files and processes. The default policy is transparent; the system behaves as if no labels exist. Administrators who create a label policy can assign labels to files to indicate the sensitivity of the information. Typical labels are Public and Confidential - Restricted. The label encodings file defines the labels on your system. For information about creating a label policy and defining labels, see Overall Process for Configuring Labeling in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.

The label policy includes defining the starting labels of user processes and SMF services. The label encodings file, which defines the labels for your system, also defines the initial label of user processes. The clearance value in your encodings file is the label that you decide is suitable for users in the organization, such as Confidential - Internal. The login_policy/clearance value in the account-policy service is the label that most processes should run at. When you create a label policy, you set the CLEARANCE value to ADMIN_LOW. After a reboot, user processes start at the clearance value in the encodings file and SMF services start at ADMIN_LOW. To start authorized users and sensitive processes at higher labels, you configure authorized users and selected SMF services with higher clearances. For issues to consider when assigning clearances to users and processes, see Customizing a Label Policy in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.

The default clearance when labels are not configured is the highest label, ADMIN_HIGH, so access is not restricted by label.

The value of clearance in the encodings file applies to users or roles who do not have an explicit key-value setting for the clearance security attribute. The root role and the initial account that was created during the installation of Oracle Solaris have an explicit clearance, ADMIN_HIGH.


Caution

Caution  -  Never change the explicit ADMIN_HIGH clearance of the root account.


User processes inherit the clearance of the user's primary login process. To view the clearance of your current process, type plabel in a terminal window. You have access to all labels from your clearance to ADMIN_LOW. The following example shows what the initial user and root see when they run the plabel command.

$ plabel
ADMIN_HIGH

About Access to Labeled Files

Labels on processes are called clearances, because they indicate the highest label that the process is cleared for. A clearance indicates the upper bound of a range of labels. Users can access labeled data when the label of their process dominates the label of the file containing the data. Similarly, other processes can access data when the process label dominates the file label. Dominate means that the label of the process is at least equal to, and can be higher than, the label of the data. For example, a user whose clearance is Confidential - Restricted can access data at that label and all lower labels, such as Confidential - Internal and Public.

During access attempts, Oracle Solaris translates to and from the textual strings to the internal representation. If a process attempts to translate a label that the process's label does not dominate, the translation is disallowed. The sys_trans_label privilege is required to override this restriction.

Regular users inherit the organization's default clearance, so are not cleared to access sensitive data. As the administrator, you assign higher clearances to just those services and users who must access this data. A user clearance is in effect when the user first logs in. Secondary logins, such as assuming a role, retain the clearance from the original login.

Users whose clearance is high can operate at a lower clearance by using the sandbox command, which starts a new process at a lower clearance. Processes running in a sandbox are isolated so cannot observe processes outside of the sandbox. For more information and examples, see Configuring Sandboxes for Project Isolation, Example 43, Protecting Directories on Your System From Application Processes, and the sandbox(1) and sandboxing(7) man pages.