OpenSolaris

1. Community: Security
   1. Announcements
   2. News
   3. Blogs
   4. Discussions
   5. Community Projects
      1. Pluggable Authentication Module
      2. Trusted Extensions
         1. History
         2. Trusted Extensions Developer Guide
         3. Installing the Solaris Trusted Extensions Software on a Laptop Computer
         4. Experimental Java Classes for Trusted Extensions Labeling APIs
      3. Secure By Default
         1. Secure by Default Design
      4. Privilege Debugging
      5. RBAC - Role Based Access Control
      6. Auditing
      7. Basic File Privs
      8. Kerberos
      9. Java
      10. SSH
      11. Cryptographic Framework
   6. Library
      1. HOWTO Documents
         1. Privilege Bracketing
      2. Username length
   7. Presentations
   8. Events
   9. Leaders
   10. Observers
   11. Files
   12. Contributor Grants

Solaris Trusted Extensions ™

The Solaris Trusted Extensions project is a reimplementation of Trusted Solaris 8 based on new security features in Solaris 10. It has been renamed because it will be delivered as an optional set of extensions to Solaris. The layered functionality consists of a set of label-aware services that are derived from Trusted Solaris 8.

A partial list of such services includes:

• Labeled Networing
• Label-aware Filesystem Mounting and Sharing
• Labeled Printing
• Labeled Desktops
  • Java Desktop System
  • Common Desktop Environment
• Label Configuration and Translation
• Label-aware System Management Tools
• Label-aware Device Allocation

Solaris Trusted Extensions extends Solaris security by enforcing a mandatory access control policy. Sensitivity labels are automatically applied to all sources of data (networks, fileystems, windows) and consumers of data (user and processes). Access to all data is restricted based on the relationship between the label of the data (object) and the consumer (subject).

Documentation

A whitepaper, An Architectural Overview of Solaris Trusted Extensions, is a good place to start.

The official Solaris Trusted Extensions Collection is now available on Sun's document website. This includes a developer guide for those that need to know how to write label aware services.

Getting Started

The Trusted Extensions software was first integrated into OpenSolaris build 37 and was first delivered via Solaris Express 7/06. It was first integrated into the commercial release Solaris 10 11/06, also known as update 3.

Although most of the code is always present in Solaris, to enable this feaure, you must install additional packages from the Solaris_n/ExtraValue/CoBundled/TrustedExtensions directory, where n is 10 or 11. Before installing the software please review the README file in that directory.

Required Patches

If you are installing from a Solaris 10 update you should be aware that there have been quite a few patches issued since the release of update 4. If you are installing from the latest OpenSolaris build, or the upcoming Solaris 10 update 5 beta release, these bugs have already been fixed. The current Solaris 10 Trusted Extensions patch list is available here.

Laptop Configurations

Several people have asked about configuring Trusted Extensions for laptops. The steps are described in Laptop Instructions.

Ongoing Development

The first version of the Trusted Java Desktop (TJDS), based on GNOME 2.16 has been integrated into Nevada build 54. An earlier version of the Trusted TJDS, based on GNOME 2.6 has been integrated into Solaris 10 11/06. Trusted CDE is also included in both releases and is currently the default multilevel desktop.

Trusted Extensions is now officially supported by Sun Ray Software 4.This includes support for both x86/x64 and SPARC platforms. Among the new features is device allocation of hot-plugged USB devices. For more details see Sun Ray Tech Specs.