Labeled security in Oracle Solaris is provided by the Trusted Extensions feature.
The Trusted Extensions feature of Oracle Solaris is an optionally enabled layer of secure labeling technology that enables data security policies to be separated from data ownership. Trusted Extensions supports both traditional discretionary access control (DAC) policies based on ownership, as well as label-based mandatory access control (MAC) policies. Unless the Trusted Extensions layer is enabled, all labels are equal so the kernel is not configured to enforce the MAC policies. When the label-based MAC policies are enabled, all data flows are restricted based on a comparison of the labels associated with the processes (subjects) requesting access and the objects containing the data.
The Trusted Extensions implementation is unique in its ability to provide high assurance, while maximizing compatibility and minimizing overhead. Trusted Extensions is part of the Oracle Solaris 11 Common Criteria EAL4+ Certification.
Trusted Extensions meets the requirements of the Common Criteria Labeled Security Package (LSP). See Oracle Solaris 11 Common Criteria EAL4+ Certification.
For more information, see the following:
For information about configuring and maintaining Trusted Extensions, see Trusted Extensions Configuration and Administration.
Selected man pages include trusted_extensions(5), labeladm(1M), and labeld(1M).
By default, filesystems are assigned a single label in a zone at that same label. You can create a multilevel ZFS dataset, mount it on a Trusted Extensions system, and with appropriate permissions, upgrade and downgrade the files in that dataset. For more information, see Multilevel Datasets for Relabeling Files in Trusted Extensions Configuration and Administration.
Trusted Extensions labels network communications. Data flows are restricted based on a comparison of the labels associated with the originating network endpoint and the receiving network endpoint. Gateways and in-between hops must also be labeled to allow the passage of information at the label of the communication. NFS and multilevel ZFS datasets provide additional features on a network.
For more information, see the following:
Chapter 15, Trusted Networking in Trusted Extensions Configuration and Administration
Unlike most other multilevel operating systems, Trusted Extensions includes a multilevel desktop. Users can be configured to see only their allowed labels. Each label can be configured to require a separate password.
For more information, see Trusted Extensions User’s Guide. To configure users, see Chapter 11, Managing Users, Rights, and Roles in Trusted Extensions in Trusted Extensions Configuration and Administration.