Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Trusted Extensions Glossary

accreditation range

A set of sensitivity labels that are approved for a class of users or resources. A set of valid labels. See also system accreditation range and user accreditation range.

administrative role

A role that gives required authorizations, privileged commands, and the Trusted Path security attribute to allow the role to perform administrative tasks. Roles perform a subset of Oracle Solaris root's capabilities, such as backup or auditing.

branded zone

In Trusted Extensions, a labeled non-global zone. More generally, a non-global zone that contains non-native operating environments. See the brands(7) man page.

CIPSO label

Common IP Security Option. CIPSO is the label standard that Trusted Extensions implements.

classification

The hierarchical component of a clearance or a label. A classification indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED.

clearance

The upper limit of the set of labels at which a user can work. The lower limit is the minimum label that is assigned by the security administrator. A clearance can be one of two types, a session clearance or a user clearance.

closed network

A network of systems that are configured with Trusted Extensions. The network is cut off from any non-Trusted Extensions host. The cutoff can be physical, where no wire extends past the Trusted Extensions network. The cutoff can be in the software, where the Trusted Extensions hosts recognize only Trusted Extensions hosts. Data entry from outside the network is restricted to peripherals attached to Trusted Extensions hosts. Contrast with open network.

compartment

A nonhierarchical component of a label that is used with the classification component to form a clearance or a label. A compartment represents a collection of information, such as would be used by an engineering department or a multidisciplinary project team.

.copy_files file

An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .firefox, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .copy_files are then copied to the user's home directory at higher labels, when those directories are created. See also .link_files file.

DAC

See discretionary access control.

discretionary access control

The type of access that is granted or that is denied by the owner of a file or directory at the discretion of the owner. Trusted Extensions provides two kinds of discretionary access controls (DAC), UNIX permission bits and ACLs.

domain

A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.

domain of interpretation (DOI)

On an Oracle Solaris system that is configured with Trusted Extensions, the domain of interpretation is used to differentiate between different label_encodings files that might have similar labels defined. The DOI is a set of rules that translates the security attributes on network packets to the representation of those security attributes by the local label_encodings file. When systems have the same DOI, they share that set of rules and can translate the labeled network packets.

evaluated configuration

One or more Trusted Extensions hosts that are running in a configuration that has been certified as meeting specific criteria by a certification authority.

Trusted Extensions software is in evaluation for certification by Common Criteria v2.3 [August 2005], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles.

GFI

Government Furnished Information. In this guide, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Extensions software, you must add the Oracle-specific LOCAL DEFINITIONS section to the end of the GFI. For details, see Chapter 5, Customizing the LOCAL DEFINITIONS Section in Trusted Extensions Label Administration.

initial label

The minimum label assigned to a user or role. The initial label is the lowest label at which the user or role can work.

initial setup team

A team of at least two people who together oversee the enabling and configuration of Trusted Extensions software. One team member is responsible for security decisions, and the other for system administration decisions.

IP address

IP addresses that are used in Oracle Solaris documentation conform to IPv4 Address Blocks Reserved for Documentation, RFC 5737 and IPv6 Address Prefix Reserved for Documentation, RFC 3849 (https://www.rfc-editor.org/info/rfc3849).

IPv4 addresses used in this documentation are blocks 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24. IPv6 addresses have prefix 2001:DB8::/32. To show a subnet, the block is divided into multiple subnets by borrowing enough bits from the host to create the required subnet. For example, host address 192.0.2.0 might have subnets 192.0.2.32/27 and 192.0.2.64/27.

label

A security identifier that is assigned to an object. The label is based on the level at which the information in that object should be protected. Labels are defined in the label_encodings file.

label configuration

A Trusted Extensions installation choice of single-label or multilabel sensitivity labels. In most circumstances, label configuration is identical on all systems at your site.

labeled host

A labeled server that is part of a trusted network of labeled systems.

labeled server

A labeled server is a system that is running a multilevel operating system, such as Trusted Extensions or SELinux with MLS enabled. The server can send and receive network packets that are labeled with a Common IP Security Option (CIPSO) in the header of the packet.

labeled zone

On an Oracle Solaris system that is configured with Trusted Extensions, every zone is assigned a label. Although the global zone is labeled, labeled zone typically refers to a non-global zone that is assigned a label. Labeled zones have two different characteristics from non-global zones on an Oracle Solaris system that is not configured with labels. First, labeled zones must use the same pool of user IDs and group IDs. Second, labeled zones can share IP addresses.

label_encodings file

The file where the complete sensitivity label is defined, as are accreditation ranges, default user clearance, and other aspects of labels.

label range

A set of sensitivity labels that are assigned to processes, objects, and users. The range is specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the labels at which the command can be executed. Remote hosts that do not recognize labels are assigned a single sensitivity label, as are any other hosts that the security administrator wants to restrict to a single label.

label relationships

On an Oracle Solaris system that is configured with Trusted Extensions, a label can dominate another label, be equal to another label, or be disjoint from another label. For example, the label Top Secret dominates the label Secret. For two systems with the same domain of interpretation (DOI), the label Top Secret on one system is equal to the label Top Secret on the other system.

label set

See security label set.

.link_files file

An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .firefox, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .link_files are then linked to the user's home directory at higher labels, when those directories are created. See also .copy_files file.

MAC

See mandatory access control.

mandatory access control

Access control that is based on comparing the sensitivity label of a file or directory to the sensitivity label of the process that is trying to access it. The MAC rule, read equal–read down, applies when a process at one label attempts to read a file at a lower label. The MAC rule, write equal-read down, applies when a process at one label attempts to write to a directory at another label.

minimum label

The lower bound of a user's sensitivity labels and the lower bound of the system's sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the user's first workspace at first login. The sensitivity label that is specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for the system.

multilevel port (MLP)

On an Oracle Solaris system that is configured with Trusted Extensions, an MLP is used to provide multilevel service in a zone. By default, the X server is a multilevel service that is defined in the global zone. An MLP is specified by port number and protocol.

open network

A network of Trusted Extensions hosts that is connected physically to other networks and that uses Trusted Extensions software to communicate with non-Trusted Extensions hosts. Contrast with closed network.

outside the evaluated configuration

When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, the software is described as being outside the evaluated configuration.

process

An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges that are available to the command being executed and the sensitivity label of the current workspace.

profile shell

A special shell that recognizes security attributes, such as privileges, authorizations, and special UIDs and GIDs. A profile shell typically limits users to fewer commands, but can allow these commands to run with more rights. The profile shell is the default shell of a trusted role.

remote host

A different system than the local system. A remote host can be an unlabeled host or a labeled host.

role

A role is like a user, except that a role cannot log in. Typically, a role is used to assign administrative capabilities. Roles are limited to a particular set of commands and authorizations. See administrative role.

security administrator

In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy. These persons are cleared to access all information that is being processed at the site. In software, the Security Administrator administrative role is assigned to one or more individuals who have the proper clearance. These administrators configure the security attributes of all users and hosts so that the software enforces the site's security policy. In contrast, see system administrator.

security attribute

An attribute that is used to enforce Trusted Extensions security policy. Various sets of security attributes are assigned to processes, users, zones, hosts, and other objects.

security label set

Specifies a discrete set of security labels for a tnrhtp database entry. Hosts that are assigned to a template with a security label set can send and receive packets that match any one of the labels in the label set.

security policy

On a Trusted Extensions host, the set of DAC, MAC, and labeling rules that define how information can be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.

security template

A record in the tnrhtp database that defines the security attributes of a class of hosts that can access the Trusted Extensions network.

sensitivity label

A security label that is assigned to an object or a process. The label is used to limit access according to the security level of the data that is contained.

separation of duty

The security policy that two administrators or roles be required to create and authenticate a user. One administrator or role is responsible for creating the user, the user's home directory, and other basic administration. The other administrator or role is responsible for the user's security attributes, such as the password and the label range.

subnet

A logical subdivision of an IP network that connects systems with subnet numbers and IP address schemas, including their respective netmasks. See also IP address.

system accreditation range

The set of all valid labels that are created according to the rules that the security administrator defines in the label_encodings file, plus the two administrative labels that are used on every system that is configured with Trusted Extensions. The administrative labels are ADMIN_LOW and ADMIN_HIGH.

system administrator

In Trusted Extensions, the trusted role assigned to the user or users who are responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.

tnrhdb database

The trusted network remote host database. This database assigns a set of label characteristics to a remote host. The database is accessible as a file in /etc/security/tsol/tnrhdb.

tnrhtp database

The trusted network remote host template. This database defines the set of label characteristics that a remote host can be assigned. The database is accessible either as a file in /etc/security/tsol/tnrhtp.

Trusted Network databases

tnrhtp, the trusted network remote host template and tnrhdb, the trusted network remote host database together define the remote hosts that a Trusted Extensions system can communicate with.

trusted path

On an Oracle Solaris system that is configured with Trusted Extensions, the trusted path is a reliable, tamper-proof way to interact with the system. The trusted path is used to ensure that administrative functions cannot be compromised. User functions that must be protected, such as changing a password, also use the trusted path.

unlabeled system

To an Oracle Solaris system that is configured with Trusted Extensions, an unlabeled system is a system that is not running a multilevel operating system, such as Trusted Extensions or SELinux with MLS enabled. An unlabeled system does not send labeled packets. If the communicating Trusted Extensions system has assigned to the unlabeled system a single label, then network communication between the Trusted Extensions system and the unlabeled system happens at that label. An unlabeled system is also called a "single-level system".

trusted role

See administrative role.

txzonemgr script

The /usr/sbin/txzonemgr script provides a simple GUI for managing labeled zones. The script also provides menu items for networking options. txzonemgr is run by root in the global zone.

unlabeled host

A networked system that sends unlabeled network packets, such as a system that is running the Oracle Solaris OS.

user accreditation range

The set of all possible labels at which a regular user can work on the system. The site's security administrator specifies the range in the label_encodings file file. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values in the ACCREDITATION RANGE section of the file: the upper bound, the lower bound, the combination constraints and other restrictions.

user clearance

The clearance assigned by the security administrator that sets the upper bound of the set of labels at which a user can work at any time. The user can decide to accept the default, or can further restrict that clearance during any particular login session.