Differences Between Trusted Solaris 8 Software and Solaris Trusted Extensions
The following sections summarize the components that remain, the components that have changed,
and the components that have been removed in the change from Trusted Solaris
to Solaris Trusted Extensions software.
Audit Events and Classes in Trusted Extensions
In Trusted Extensions, the audit classes for X events have been collapsed from
six classes to four classes. The xa class and the xl class
are removed. Events that were assigned to the xa class are in the
ot class. Events that were assigned to the xl class are in
the lo class. The bit masks of the remaining X audit classes have
been changed from their Trusted Solaris 8 masks.
0x00800000:xc:X - object create/destroy
0x00400000:xp:X - privileged/administrative operations
0x01000000:xs:X - operations that always silently fail, if bad
0x01c00000:xx:X - all X events (meta-class
Device Management in Trusted Extensions
In Trusted Extensions, the allocate and deallocate commands are only available to TCB
(Trusted Computing Base) processes that run in the global zone. Ordinary users must
use the Device Manager GUI to allocate and deallocate devices.
Trusted Extensions device policy uses the Solaris getdevpolicy and update_drv interfaces. The
Trusted Solaris 8 device policies: data_mac_policy, attr_mac_policy, open_priv, and str_type have been removed.
Files and File System Mounting in Trusted Extensions
Trusted Extensions provides no explicit mount attributes for specifying labels. The label of
a mounted filesystem is the same as the label that is associated with
the owning host or owning zone. Writing up is not permitted. Writing up
is prevented by disallowing mounts of higher-labeled or disjointly labeled filesystems. Reading down
is permitted. Reading down is enforced by restricting mounts of lower-labeled filesystems
to be read-only.
The Trusted Extensions implementation for specifying security attributes on file systems follows
the Solaris implementation. Therefore, files do not have forced privileges or allowed privileges.
This implementation enables Trusted Extensions to support any file system that is supported
by Solaris zones.
File relabeling is implemented by moving a file from one mounted file system
to another file system.
Labels in Trusted Extensions
As in the Trusted Solaris releases, Trusted Extensions provides a label_encodings file.
Labels, label ranges, clearances, and defaults are defined in the label_encodings file.
In Trusted Extensions, the label_encodings file that is installed by default defines commercial
labels, such as RESTRICTED and PUBLIC. In Trusted Solaris releases, the default
label encodings file, label_encodings.multi, was a version of a U.S. Government encodings file.
In the Label Builder, labels are shown in long form instead of
in short form. When choosing a session clearance or workspace label, Trusted Path is
used instead of Admin Low or Admin High.
Label APIs in Trusted Extensions
In Solaris Trusted Extensions, the label APIs that showed the internals of
a label's structure are now obsolete. These label APIs have been replaced by
the label_to_str() and str_to_label() functions. For the interfaces that are obsolete, and their
replacement functions, see Table 7.
Also, CMW labels have been replaced by sensitivity labels. All CMW and IL
(information label) interfaces have been removed.
Mail in Trusted Extensions
In the Solaris Trusted Extensions release, each zone has an independent instance
of sendmail. Therefore, mail cannot be upgraded. Users can send mail and can
receive mail only at the label of the user's workspace.
LDAP Naming Service in Trusted Extensions
Solaris Trusted Extensions uses LDAP as a naming service. In Trusted Extensions,
NIS and NIS+ do not support the tnrhdb and tnrhtp databases. These naming services
do not have a proxy server that can bind to a multilevel port
(MLP). Therefore, the trusted networking databases cannot be reached from multiple zones concurrently.
Except for user passwords, LDAP data is considered public information. Therefore, any information
in LDAP is not protected by a MAC policy. Instead, as in the
Solaris OS, data is protected by an administrative policy. LDAP administrative policy is
based on LDAP identities and passwords. When sensitivity labels are assigned as attributes
of users and network endpoints, the labels are stored in an internal format.
This format does not disclose classified information.
When an LDAP server is deployed as the naming service within a
Trusted Extensions environment, the server must be configured to bind to a multilevel
port (MLP) in the global zone.
Trusted Extensions can also be configured to rely on an existing LDAP
infrastructure. In this case, an LDAP proxy server must be installed. This proxy
server must be configured to bind to an MLP in the global zone
of a system that is configured with Trusted Extensions. This Trusted Extensions system
can then proxy multilevel requests from other zones and other hosts to the
existing unlabeled LDAP server. The unlabeled server must be assigned the admin_low
template in the tnrhdb of the proxy server.
To migrate NIS+ tables to LDAP entries, see the following man pages:
Named Pipes in Trusted Extensions
In the Solaris OS, named pipes are used as one-way conduits. In
Trusted Extensions, named pipes permit write-up operations. The writer runs at a lower
label than the reader's dominant label. In Trusted Solaris 8, named pipes were
configured by upgrading the label of the FIFO to the reader's label. In
Trusted Extensions, named pipes are configured by using read-only lofs mounts of directories
in lower-level zones into dominant higher-level zones. The FIFO is created at the label
of the zone of the writer. For more information, see the mkfifo(1M)
Networking in Trusted Extensions
Trusted Extensions does not support the TSIX or TSOL networking protocols. Trusted
Extensions defines CIPSO-labeled templates and unlabeled templates in the tnrhtp database. The label ADMIN_HIGH
is used as an upper bound, but is never transmitted as a CIPSO
label. For more information, see Zones in Trusted Extensions.
The format of the tnrhtp database has been simplified because process attributes like
privileges, user ids, and group ids are no longer supported. The format
of the tnrhdb database is unchanged. The tnzonecfg database replaces the tnidb database,
although the two databases are not equivalent.
The /etc/security/tsol/tnrhtp file that is installed with the Solaris Trusted Extensions release contains
templates that can be used with any label_encodings file. The following table
shows the correspondences between earlier versions of tnrhtp and the version that is shipped
with the Solaris Trusted Extensions release.
Table 1 Template Names in the Trusted Solaris 8 and Solaris Trusted Extensions Releases
Trusted Solaris Template Name
Trusted Extensions Name
For unlabeled hosts
tsol, tsol_cipso, tsix
Use cipso template
Network communication is restricted by label. By default, zones cannot communicate with each
other because their labels are different.
Packets from unlabeled hosts that originate outside a Trusted Extensions domain can be
labeled for trusted routing through the secure domain to another host outside the
domain by using IP options. Incoming packets are labeled according to their originating
host's entry in the tnrhdb. Incoming packets are routed through the Trusted Extensions
domain according to their sensitivity level and the trusted routing information. The sensitivity
label is still carried in the IP option. The label is stripped when
the packet exits the trusted domain. IPv6 now supports trusted routing.
Dynamic routing is not supported. Static routing is supported.
Packaging in Trusted Extensions
Trusted Extensions software does not require special packaging attributes. Therefore, the tsolinfo file
is no longer used.
PAM in Trusted Extensions
The PAM module for Trusted Extensions, pam_tsol_account.so.1, has only one module type and
one function. The module is of type account, and the function checks
the label range. The module has no options. No other Trusted Extensions-specific functions
of PAM from Trusted Solaris 8 software are included in this release.
If a PAM stack for account in the Trusted Solaris 8 release did not have label_check_on in pam_tsol.so.1, then you do not need to add pam_tsol_account.so.1 to the corresponding stack in the Solaris Trusted Extensions release.
If a PAM stack for account in the Trusted Solaris 8 release did have label_check_on in pam_tsol.so.1, then the corresponding stack in the Solaris Trusted Extensions release should use pam_tsol_account.so.1 in the same place in the stack with no switches.
Trusted Extensions adds the allow_unlabeled option to PAM services. Together with the allow_remote
option, administrators can manage headless systems remotely. For details, see the pam_roles(5) and
pam_tsol_account(5) man pages.
PAM stacks for other module types should be used in the same
manner for Trusted Extensions as for the Solaris OS. For more information, see
the pam(3PAM) and pam.conf(4) man pages.
Policy in Trusted Extensions
In Trusted Extensions, a process' clearance is the same as its sensitivity label.
Write up is not supported.
There is no administrative distinction between ADMIN_HIGH and ADMIN_LOW workspaces. Therefore, such
workspaces are displayed as Trusted Path.
The tsol policy in the exec_attr file is removed. Use the solaris policy.
Printing in Trusted Extensions
Trusted Extensions supports both single-level and multilevel printing. Multilevel printing is implemented in
the global zone only. The global zone must have its own IP address
to be a multilevel print service. To use the global zone's print server,
a labeled zone must have a separate IP address from the global zone.
Only multilevel printers have a label range. A printer's label range can be
restricted with the Device Allocation Manager.
In Trusted Solaris releases, banner and trailer pages were enabled by default. In
Trusted Extensions, administrators run a printer model script to add banner and trailer
pages with security information to a printer.
lpadmin -p printer -m printer-model-script
Trusted Extensions adds four printer model scripts: tsol_standard, tsol_netstandard, tsol_standard_foomatic, and tsol_netstandard_foomatic.
Solaris Management Console in Trusted Extensions
The Solaris Management Console is no longer a multilevel service. The Solaris
Management Console can only be contacted by clients that are running at the
same label as the server. For most Trusted Extensions administration, access to the
global zone is required. Because ordinary users are not permitted to log in
to the global zone, only roles that are cleared for all labels
can connect to the Solaris Management Console in the global zone.
Window System and CDE in Trusted Extensions
The login sequence is slightly different, and a new dialog box, Last Login,
contains security information for the login user. The Shutdown menu item has been
replaced with the Suspend System menu item, which checks for user authorization, then
runs the sys-suspend command.
The System_Admin folder has been renamed to the Trusted_Extensions folder.
The CDE actions in the Trusted_Extensions folder have been updated. The NIS+ actions
have been removed. Actions for administering LDAP and labeled zones have been added.
Zones in Trusted Extensions
Trusted Extensions uses zones for labeling. The global zone is an administrative zone,
so is not available to users. The global zone is multilevel. The
networking label of the global zone is ADMIN_LOW, but its process label is ADMIN_HIGH.
Files that are private to the global zone are also labeled ADMIN_HIGH. Files
that are shared with all zones are labeled ADMIN_LOW.
Each non-global zone has a unique label. Non-global zones are called labeled zones.
Labeled zones are available to ordinary users. The global zone is available to
The Trusted Extensions policy for zones is different from Solaris policy. Trusted
Extensions does not require a separate IP address per zone. However, all zones
must have a single naming service. A single naming service provides all zones
with a single set of users, UIDs, and GIDs.
Network communication is restricted by label. By default, zones cannot communicate with
each other because their labels are different. The /export directory of a
zone can be read by any zone whose label dominates the label of
the /export directory.
Only system processes and roles are allowed to execute in the global zone.
In certain cases, privileged processes in the global zone can be exempt from
aspects of MAC policy. For example, system processes and roles that have the
file_dac_search privilege and the file_dac_read privilege can access files which belong
to labeled zones.
Privileges in Trusted Extensions
Privileges in Trusted Extensions are coded to correspond to their Solaris counterparts. Privileges
in Solaris software are implemented differently from privileges in previous Trusted Solaris releases.
Basic privileges are implemented. For example, proc_exec and proc_info are basic privileges.
Basic privileges do not override security policy, but rather enable use of the system. Without the proc_exec privilege, a user cannot use the system.
Privileges are not file attributes. Therefore, there are no allowed or forced privileges.
Default and limit privileges can be assigned to the initial shell of a user or of a role.
Privileges are called by name, not by number.
Therefore, privilege numbers are not used in function calls or in the exec_attr file.
Privilege macros are not used and have been removed.
Privileges interact with zones. Some privileges can be used in the global zone only, so are not available to ordinary users.
For correspondences between Trusted Solaris privileges and Trusted Extensions privileges, see Table 1 in
Appendix A, Interface Changes in the Solaris Trusted Extensions Release, Table 10, and New Interfaces in Trusted Extensions Software. For a complete list of privileges, see the privileges(5) man
The Solaris Trusted Extensions release adds the following privileges:
The Trusted Solaris command runpd has been replaced by the Solaris ppriv -d command.
For details, see the ppriv(1) man page. For examples, see How to Determine Which Privileges a Program Requires in System Administration Guide: Security Services.
Trusted Extensions User Commands
On a system that is configured with Trusted Extensions, most Solaris user commands
work as the commands work in the Solaris OS. Some command options
apply to Trusted Extensions software only. Trusted Extensions also adds user commands. For a
complete list, see New Interfaces in Trusted Extensions Software, Table 2, and Table 3.
Trusted Extensions System Administration Commands
On a system that is configured with Trusted Extensions, system administration commands work
Most Solaris system administration commands work as the commands work in the Solaris OS, for example, add_drv and share.
Some command options apply to Trusted Extensions software only, such as the -R option to netstat.
Because NIS+ is not a supported naming service for a Trusted Extensions environment, NIS+ administration commands are not modified for this release.
Some commands that are familiar to a Trusted Solaris 8 administrator have been modified, such as chk_encodings. For the changes, see the man pages.
For links to the man pages, see Table 4 and New Interfaces in Trusted Extensions Software.
Trusted Extensions System Calls
On a system that is configured with Trusted Extensions, most Trusted Solaris
system calls have been replaced by Solaris system calls. Some system calls are extended
in Trusted Extensions software. For a complete list, see Table 5 and New Interfaces in Trusted Extensions Software.
Trusted Extensions Library Functions
On a system that is configured with Trusted Extensions, some functions have been
modified. Some changes are due to architectural changes in the product. Some changes
are due to removal of nonstandard interfaces.
The library functions for privileges that were provided by Trusted Solaris software
have been replaced by Solaris functions. Label functions that manipulate CMW labels have
been removed. Some label functions have been changed to make label structures opaque.
Other label functions have been replaced by new label functions that make label
structures opaque. Customers are encouraged to use the new interfaces when developing label-aware
code for their sites.
For a complete list, see Table 6 and New Interfaces in Trusted Extensions Software.
Trusted Extensions Databases and Files
Databases and files have been reformatted to correspond to technical changes. Unneeded files
have been removed. For the list, see Table 9 and New Interfaces in Trusted Extensions Software.
Trusted Extensions Devices and Drivers
On a system that is configured with Trusted Extensions, all Trusted
Solaris device interfaces, and kernel functions for drivers have been replaced by Solaris
functions. For the list, see Table 11.