- access control list (ACL)
A security feature of the Solaris OS. An ACL extends discretionary access control (DAC) to
use a list of permission specifications (ACL entries) that apply to specific users
and specific groups. An ACL allows finer-grained control than the control that standard
UNIX permissions provides.
- access permission
A security feature of most computer systems. Access permission gives the user the
right to read, write, execute, or view the name of a file or
directory. See also discretionary access control (DAC) and mandatory access control (MAC).
- account label range
The set of labels that are assigned by the security administrator to a
user or role for working on a system that is configured with Trusted
Extensions. A label range is defined at the upper end by the
user clearance and at the lower end by the user's minimum label. The set is
limited to well-formed labels.
- accreditation range
A set of labels that are approved for a class of users
or resources. See also system accreditation range, user accreditation range, label encodings file, and network accreditation range.
An application that can be accessed from the CDE (Common Desktop Environment) graphical
user interface. An action is represented by an icon. The action consists of
one or more commands and optional user prompts. In Trusted Extensions, an action
is only available to a user if the security administrator has included the
action in a rights profile that is assigned to the user's account. Similarly, certain
functions of the action might be available only if the security administrator has
assigned the appropriate authorizations and privileges in that rights profile.
- administrative labels
Two special labels intended for administrative files only: ADMIN_LOW and ADMIN_HIGH. ADMIN_LOW
is the lowest label in the system with no compartments. This label is
strictly dominated by all labels in the system. Information at ADMIN_LOW can be read
by all but can only be written by a user in a
role who is working at the ADMIN_LOW label. ADMIN_HIGH is the highest
label in the system with all compartments. This label strictly dominates all labels
in the system. Information at ADMIN_HIGH can only be read by users
in roles that operate at ADMIN_HIGH. Administrative labels are used as labels
or clearances for roles and systems. See also dominating label.
- allocatable device
A security feature of the Solaris OS. An allocatable device can be
used by one user at a time, and is capable of importing or
exporting data from the system. The security administrator determines which users are authorized to access
which allocatable devices. Allocatable devices include tape drives, floppy drives, audio devices, and
CD-ROM devices. See also device allocation.
- audit ID (AUID)
A security feature of the Solaris OS. An audit ID represents the
login user. the AUID is unchanged after the user assumes a role, so
is used to identify the user for auditing purposes. The audit ID always represents
the user for auditing even when the user acquires effective UIDs/GIDs. See also
user ID (UID).
A security feature of the Solaris OS. Auditing is a process for
capturing user activity and other events on the system, then storing this information
in a set of files that is called an audit trail. Auditing produces system activity
reports to fulfill site security policy.
A security feature of the Solaris OS. An authorization grants permission to
a user to perform an action that is otherwise prohibited by security policy.
The security administrator assigns authorizations to rights profiles. Rights profiles are then assigned to user or
role accounts. Some commands and actions do not function fully unless the user
has the necessary authorizations. See also privilege.
A component of a clearance or a label. A classification indicates a hierarchical level
of security, for example, TOP SECRET or UNCLASSIFIED.
A label that defines the upper boundary of a label range. A clearance has two
components: a classification and zero or more compartments. A clearance does not need to
be a well-formed label. A clearance defines a theoretical boundary, not necessarily an actual
label. See also user clearance, session clearance, and label encodings file.
- Common Desktop Environment (CDE)
A graphical desktop that includes a session manager, a window manager, and various
desktop tools. Trusted Extensions adds trusted applications to the desktop, such as the
label builder, Device Allocation Manager, and Selection Manager. See also Trusted GNOME.
A nonhierarchical component of a label that is used with the classification
component to form a clearance or a label. A compartment represents a group
of users with a potential need to access this information, such as an
engineering department or a multidisciplinary project team.
- compartmented mode workstation (CMW)
A computing system that fulfills the government requirements for a trusted workstation as
stated in Security Requirements for System High and Compartmented Mode Workstations, DIA document number DDS-2600-5502-87. Specifically, it defines a trusted, X
Window System-based operating system for UNIX workstations.
- covert channel
A communication channel that is not normally intended for data communication. A covert
channel allows a process to transfer information indirectly in a manner that violates
the intent of the security policy.
- deallocated device
A security feature of the Solaris OS. A deallocated device is no
longer allocated to a user for exclusive use. See also device allocation.
See allocatable device.
- device allocation
A security feature of the Solaris OS. Device allocation is a mechanism
for protecting the information on an allocatable device from access by anyone except the user
who allocates the device. When the device is deallocated, device clean scripts are
run to clean information from the device before the device can be accessed
again by another user. In Trusted Extensions, device allocation is handled by the
Device Allocation Manager.
- Device Allocation Manager
A trusted application of Trusted Extensions. This GUI is used to configure devices,
and to allocate and deallocate devices. Device configuration includes adding authorization requirements to
- discretionary access control (DAC)
An access control mechanism that allows the owner of a file or directory
to grant or deny access to other users. The owner assigns read, write,
and execute permissions to the owner, the user group to which the owner
belongs, and a category called other, which refers to all other unspecified users.
The owner can also specify an access control list (ACL). An ACL lets the owner assign
permissions specifically to additional users and additional groups. Contrast with mandatory access control (MAC).
- disjoint label
See dominating label.
- dominating label
In a comparison of two labels, the label whose classification component is
higher than or equal to the second label's classification and whose compartment components
include all of the second label's compartment components. If the components are the
same, the labels are said to dominate each other and are equal. If
one label dominates the other and the labels are not equal, the first
label is said to strictly dominate the other. Two labels are disjoint if they
are not equal and neither label is dominant.
- downgraded label
A label of an object that has been changed to a value that
does not dominate the previous value of the label.
- effective UIDs/GIDs
A security feature of the Solaris OS. Effective IDs override a real
ID when necessary to run a particular program or an option of a
program. The security administrator assigns an effective UID to a command or action in
a rights profile when that command or action must be run by a specific
user, most often when the command must be run as root. Effective group
IDs are used in the same fashion. Note that the use of the
setuid command as in conventional UNIX systems might not work due to the
need for privileges.
- evaluatable configuration
A computer system that meets a set standard of government security requirements. See
also extended configuration.
- extended configuration
A computer system that is no longer an evaluatable configuration due to modifications that
have broken security policy.
- fallback mechanism
A shortcut method for specifying IP addresses in the tnrhtp database. For
IPv4 addresses, the fallback mechanism recognizes 0 as a wildcard for a
A host that has more than one network interface. Such a host can
be used to connect two or more networks. When the gateway
is a Trusted Extensions host, the gateway can restrict traffic to a
- group ID (GID)
A security feature of the Solaris OS. A GID is an integer
that identifies a group of users who have common access permissions. See also discretionary access control (DAC).
A computer attached to a network.
- host template
A record in the tnrhtp database that defines the security attributes of a class of
hosts that can access the Trusted Extensions network.
- host type
A classification of a host. The classification is used for network communications.
The definitions of host types are stored in the tnrhtp database. The
host type determines whether the CIPSO network protocol is used to communicate with other
hosts on the network. Network protocol refers to the rules for packaging communication information.
Also referred to as a sensitivity label. A label indicates the security level
of an entity. An entity is a file, directory, process, device, or network
interface. The label of an entity is used to determine whether access should
be permitted in a particular transaction. Labels have two components: a classification that indicates
the hierarchical level of security, and zero or more compartments for defining who
can access the entity at a given classification. See also label encodings file.
- label builder
A trusted application of Trusted Extensions. This GUI enables users to choose a
session clearance or a session label. The clearance or label must be within
the account label range that the security administrator has assigned to the user.
- label encodings file
A file that is managed by the security administrator. The encodings file contains
the definitions for all valid clearances and labels. The file also defines the system accreditation range,
user accreditation range, and defines the security information on printouts at the site.
- label range
Any set of labels that are bounded on the upper end by
a clearance or maximum label, on the lower end by a minimum
label, and that consist of well-formed labels. Label ranges are used to enforce mandatory access control (MAC).
See also label encodings file, account label range, accreditation range, network accreditation range, session range, system accreditation range, and user accreditation range.
- label view
A security feature that displays the administrative labels or substitutes unclassified placeholders for the
administrative labels. For example, if security policy forbids exposing the labels ADMIN_HIGH
and ADMIN_LOW, the labels RESTRICTED and PUBLIC can be substituted.
- labeled workspace
A Solaris Trusted Extensions (CDE) or a Solaris Trusted Extensions (GNOME) workspace. A
labeled workspace labels every activity that is launched from the workspace with the
label of the workspace. When users move a window into a workspace of
a different label, the moved window retains its original label.
- least privilege
See principle of least privilege.
- mandatory access control (MAC)
A system-enforced access control mechanism that uses clearances and labels to enforce
security policy. A clearance or a label is a security level. MAC associates
the programs that a user runs with the security level at which
the user chooses to work in the session. MAC then permits access to
information, programs, and devices at the same or lower level only. MAC also
prevents users from writing to files at lower levels. MAC cannot be overridden
without special authorizations or privileges. Contrast with discretionary access control (DAC).
- minimum label
A label that is assigned to a user as the lower bound of
the set of labels at which that user can work. When a user
first begins a Trusted Extensions session, the minimum label is the user's
default label. At login, the user can choose a different label for the
Also, the lowest label that is permitted to any non-administrative user. The minimum
label is assigned by the security administrator and defines the bottom of the user accreditation range.
- network accreditation range
The set of labels within which Trusted Extensions hosts are permitted to
communicate on a network. The set can be a list of four discrete
A passive entity that contains or receives data, such as a data file,
directory, printer, or other device. An object is acted upon by subjects.
In some cases, a process can be an object, such as when you send
a signal to a process.
A role that can be assigned to the user or users who are
responsible for backing up systems.
- ordinary user
A user who holds no special authorizations that allow exceptions from the
standard security policies of the system. Typically, an ordinary user cannot assume an
A set of codes that indicate which users are allowed to read, write,
or execute the file or directory (folder). Users are classified as owner, group
(the owner's group), and other (everyone else). Read permission (indicated by r) lets
the user read the contents of a file or, if a directory, list
the files in the folder. Write permission (w) lets the user make
changes to a file or, if a folder, add or delete files. Execute
permission (e) lets the user run the file if the file is executable.
If the file is a directory, execute permission lets the user read or
search the files in the directory. Also referred to as UNIX permissions or
- principle of least privilege
The security principle that restricts users to only those functions that are necessary
to perform their jobs. The principle is applied in Trusted Extensions by making
privileges available to programs on an as-needed basis. Privileges are available on an
as-needed basis for specific purposes only.
A security feature of the Solaris OS. A privilege is a permission
that is granted to a program by the security administrator. A privilege can be required
to override some aspect of security policy. See also authorization.
- privileged process
A security feature of the Solaris OS. A privileged process runs with assigned
A running program. Trusted Extensions processes have Solaris security attributes, such as user ID (UID), group ID (GID),
the user's audit ID (AUID), and privileges. Trusted Extensions adds a label to every
See rights profile.
- profile shell
A security feature of the Solaris OS. A version of the Bourne
shell that enables a user to run programs with security attributes.
- reading down
The ability of a subject to view an object whose label the subject
dominates. Security policy generally allows reading down. For example, a text editor program
that runs at Secret can read Unclassified data. See also mandatory access control (MAC).
- rights profile
A security feature of the Solaris OS. A rights profile enables a
site's security administrator to bundle commands and CDE actions with security attributes. Attributes such as
user authorizations and privileges enable the commands and actions to succeed. A
rights profile generally contains related tasks. A profile can be assigned to users
and to roles.
A security feature of the Solaris OS. A role is a special
account that gives the user who assumes the role access to certain applications
with the security attributes that are necessary for performing the specific tasks.
- security administrator
On system that is configured with Trusted Extensions, the role that is
assigned to the user or users who are responsible for defining and for
enforcing security policy. The security administrator can work at any label in the
system accreditation range, and potentially has access to all information at the site. The security
administrator configures the security attributes for all users and equipment. See also label encodings file.
- security attribute
A security feature of the Solaris OS. A property of an entity,
such as a process, zone, user, or device, that is related to security.
Security attributes include identification values such as user ID (UID) and group ID (GID). Attributes that are
specific to Trusted Extensions include labels and label ranges. Note that only certain security attributes
apply to a particular type of entity.
- security policy
The set of DAC, MAC, and label rules that define how information can
be accessed and by whom. At a customer site, the set of
rules that defines the sensitivity of the information that is processed at that
site. Policy includes the measures that are used to protect the information from
- Selection Manager
A trusted application of Trusted Extensions. This GUI appears when authorized users attempt
to upgrade information or downgrade information.
- sensitivity label
The time between logging in to a Trusted Extensions host and logging out
from the host. The trusted stripe appears in all Trusted Extensions sessions to confirm
that users are not being spoofed by a counterfeit system.
- session clearance
A clearance set at login that defines the upper boundary of labels for
a Trusted Extensions session. If the user is permitted to set the session
clearance, the user can specify any value within the user's account label range. If the user's
account is configured for forced single-level sessions, the session clearance is set to
the default value specified by the security administrator. See also clearance.
- session range
The set of labels that are available to a user during a
Trusted Extensions session. The session range is bounded at the upper boundary by
the user's session clearance and at the lower end by the minimum label.
- single-label configuration
A user account that has been configured for operation at a single label
only. Also called a single-level configuration.
To counterfeit a software program in order to illegally get access to information
on a system.
- strict dominance
See dominating label.
An active entity, usually a process that runs on behalf of a
user or role. A subject causes information to flow among objects, or changes
the system state.
- system accreditation range
The set of all valid labels for a site. The set includes
the administrative labels that are available to the site's security administrator and system administrator. The system
accreditation range is defined in the label encodings file.
- system administrator
A security feature of the Solaris OS. The System Administrator role can
be assigned to the user or users who are responsible for performing standard
system management tasks such as setting up the non-security-relevant portions of user accounts.
See also security administrator.
- trusted application
An application that has been granted one or more privileges.
- trusted computing base (TCB)
The part of a system that is configured with Trusted Extensions that affects
security. The TCB includes software, hardware, firmware, documentation, and administrative procedures. Utility programs
and application programs that can access security-related files are all part of the
trusted computing base.
- trusted facilities management
All activities associated with system administration in a conventional UNIX system, plus all
of the administrative activities that are necessary to maintain the security of a
distributed system and the data that the system contains.
- Trusted GNOME
A graphical desktop that includes a session manager, a window manager, and various
desktop tools. Trusted GNOME is a fully accessible desktop.
- trusted path
Refers to the mechanism for accessing actions and commands that are permitted to
interact with the trusted computing base (TCB). See also Trusted Path menu, trusted symbol, and trusted stripe.
- Trusted Path menu
A menu of Trusted Extensions operations that is displayed by holding down mouse
button 3 over the switch area of the Front Panel. The menu
selections fall into three categories: workspace-oriented selections, role assumption selections, and security-related tasks.
- trusted stripe
A screen-wide rectangular graphic in a reserved area of the screen. The trusted
stripe appears in all Trusted Extensions sessions to confirm valid Trusted Extensions
sessions. Depending on a site's configuration, the trusted stripe has one or two
components: (1) a mandatory trusted symbol to indicate interaction with the trusted computing base (TCB), and (2) an
optional label to indicate the label of the current window or workspace.
- trusted symbol
The symbol that appears at the left of the trusted stripe area. The
symbol is displayed whenever the user accesses any portion of the trusted computing base (TCB).
- upgraded label
A label of an object that has been changed to a value that
dominates the previous value of the label.
- user accreditation range
The largest set of labels that the security administrator can potentially assign to
a user at a specific site. The user accreditation range excludes the administrative labels
and any label combinations that are available to administrators only. The user accreditation
range is defined in the label encodings file.
- user clearance
A clearance that is assigned by the security administrator. A user clearance defines
the upper boundary of a user's account label range. The user's clearance determines the highest label
at which the user is permitted to work. See also clearance and session clearance.
- user ID (UID)
A security feature of the Solaris OS. A UID identifies a user
for the purposes of discretionary access control (DAC), mandatory access control (MAC), and auditing. See also access permissions.
- well-formed label
A label that can be included in a range, because the label is
permitted by all applicable rules in the label encodings file.
See labeled workspace.