Changes from Trusted Solaris 2.5.1 to Trusted Solaris 7

Trusted Solaris 7 changes affect users, administrators, and developers. Changes are in the areas of:

• "Authorization and Privilege Differences"

• "Commands and Functions"

• "File Systems and Mounting"

• "Labels"

• "Installation and Configuration"

• "Login and Remote Login"

• "Man Pages"

• "Printing"

• "System Start and Shutdown"

Installation and Configuration

The Trusted Solaris 2.5.1 system required the install team to configure labels during installation. In Trusted Solaris 7, the install team configures labels after installation.

Installation Differences

Installation on most hardware is identical to Solaris 7 installation. The two exceptions are:

• Solaris^TM Web Start is not supported

• Installing and configuring the Sun Enterprise^TM 10000 (E10000), also called Starfire^TM, is modified for Trusted Solaris security. See Trusted Solaris 7 Installation and Configuration on the Sun Enterprise 10000 for explanation and procedures.

Solaris installation features that Trusted Solaris 7 supports include:

• Trusted Solaris network and jumpstart installations are identical to Solaris network and jumpstart installations.

• sys-unconfig(1M) is supported.

• Unlike Trusted Solaris 2.5.1 installation, Trusted Solaris 7 installation does not offer label configuration options; sensitivity labels are configured after installation, not during. Therefore, the config_data file and its corresponding man page do not exist since there are no Trusted Solaris configuration options for network installations.

To distribute a site label encodings file during installation in Trusted Solaris 7 requires a customized JumpStart installation. See "Create a Finish Script to Add Files after Installation" in Trusted Solaris Installation and Configuration for an example.

Configuration Differences

To change default label configuration values, the security administrator edits the /etc/system file.

To enable the Stop-A shutdown mechanism, the security administrator edits the /etc/default/kbd file, except on the Sun Enterprise 10000, where the abort_enable keyword in the /etc/system file is still operative.

The Check Encodings System_Admin action enables an administrative role to install a site-specific label_encodings file.

Labels

Trusted Solaris 7 does not configure labels during installation (see "Installation and Configuration", documents how to create many compartments in labels, and does not support information labels.

Large Numbers of Compartments

"Bits Available for Classification and Compartment Components" in Trusted Solaris Label Administration documents how to create and manage large numbers of compartments in a label_encodings file.

Information Labels

Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW.

Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW.

As a result, Trusted Solaris 7 has the following characteristics:

• ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.

• ILs do not float.

• Setting an IL on an object has no effect, and getting an object's IL will always return ADMIN_LOW.

• Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs cannot be set on any objects.

• Sensitivity labels, not information labels, display on printer banners and body pages.

• Options related to information labels in the label_encodings(4) file can be ignored.

• IL-related privileges are no longer used. See "Authorization and Privilege Differences" for a list.

• In auditing, the ilabel token is recorded as ADMIN_LOW, when it is recorded. The audit event numbers 519 (AUE_OFLOAT), 520 (AUE_SFLOAT), and 9036 (AUE_iil_change) continue to be reserved, but those events are no longer recorded.

Printing

Adding Trusted Solaris security to Solaris 7 printing changed several things about printing in the Trusted Solaris environment.

• Additional printing authorizations handle printing capabilities. Trusted Solaris 7 checks for user authorization where Trusted Solaris 2.5.1 checked for privilege. See "Authorization and Privilege Differences".

• Network printers do trusted printing only when directly cabled to a Trusted Solaris print server.

• Network printers can be configured as standalone nodes on the network to print at a single label without labeled output, by assigning the printer an IP address and a host name. See "Managing Printing" in Trusted Solaris Administrator's Procedures for the complete procedures.

• Users who print to a single-label printer from a trusted printer cannot list or delete the jobs in the queue.

File Systems and Mounting

The Trusted Solaris 7 implementation of file system security attributes is similar to the Solaris 7 implementation instead of the Trusted Solaris 2.5.1 implementation. Instead of attributes stored on a filesystem inode, the operating system manages the filesystem security attributes. The new implementation has consequences for Trusted Solaris 7 administrators:

Mount-time security attributes may be specified either by using the mount(1M) command with the -S option on the command line or by specifying the attributes in the vfstab_adjunct file. Mount-time security attributes override existing security attributes on a file system. However, they never override security attributes on the files and directories within the file system. When access-control decisions are made, security attributes on a file or directory take precedence over security attributes specified either at the filesystem level or at mount time.

• Filesystem security attributes are not assigned using the tsol_attr flag; the flag has been removed.

Login and Remote Login

The Enable Logins dialog box offers more choices to the user.

Roles now have the remote login authorization in a profile. The root role has the authorization in the Maintenance and Repair profile. Remote logins by roles requires an additional step on every host where the roles need to remotely log in. See "Allowing Remote Logins by Administrative Roles" in Trusted Solaris Administrator's Procedures for the procedure.

In Trusted Solaris 2.5.1, the value for MAXBADLOGINS was set by default to 3 in the /etc/default/passwd file. Trusted Solaris 7 follows the Solaris model: the default of 5 for the variable RETRIES is set in the /etc/default/login file.

System Start and Shutdown

In Trusted Solaris 2.5.1, to enable a user to use the Stop-A sequence to bring down the computer, the administrator set the abort_enable keyword in the /etc/system file to 1. In Trusted Solaris 7, the administrator uncomments the #KBD_ABORT=enable line in the /etc/default/kbd file. By default, Stop-A is disabled.

Man Pages

Man pages are in a different format, have a different naming scheme, and can be viewed using AnswerBook2^TM technology. Changes in product functionality have caused corresponding changes in the man pages.

• Man pages are in SGML (Standardized General Markup Language). The online man command handles SGML; printed output is in troff.

• Most Trusted Solaris man pages are integrated into the SUNWman package; therefore, the tsol extension is not used. To view man pages in the Trusted Solaris environment, use the same syntax as in the Solaris 7 environment:

  man setfsattr man -s2 chmod man ls

• Answerbook technology is now browser-based. The Trusted Solaris 2.5.1 answerbook command (/usr/openwin/bin/answerbook) does not support this functionality. To view Sun's Solaris 7 and Trusted Solaris 7 documentation, use the command /usr/dt/bin/answerbook2, or choose the AnswerBook2 option from the Help menu on the Front Panel.

• The following man pages do not have Trusted Solaris specific modifications due to changes in installation:

  • install_scripts(1M)

  • add_install_client(1M)

  • rm_install_client(1M)

  • setup_install_server(1M)

• The following man pages have been moved or added due to changes in functionality:

  • dtappsession(1) -- Added to CDE man pages

  • mldstat(3) and mldlstat(3) -- Moved from system calls to library routines.

  • door_create(3x) and door_tcred(3x) -- Added Trusted Solaris security.

  • pam_tp_auth(5) and pam_tsol(5) -- Added Trusted Solaris security.

  • kbd(1) -- Added Trusted Solaris security. See "System Start and Shutdown".

• The following man pages have been removed due to changes in implementation:

  • config_data(4TSOL)

  • msgrcvl(2TSOL)

  • msgsndl(2TSOL)

  • semopl(2TSOL)

Commands and Functions

Commands and functions have been modified due to technical changes in the product and removal of nonstandard interfaces.

• The Pluggable Authentication Module (PAM) allows the customer to plug in a customized static randomword function.

• The following /usr/proc/bin/ commands have a standard interface:

  • pattr(1)

  • pclear(1)

  • plabel(1)

  • ppriv(1)

• The Trusted Solaris 2.5.1 mldstat() and mldlstat() system calls are library routines in Trusted Solaris 7.

• The runpd(1M) command has a slightly changed setup procedure.

Authorization and Privilege Differences

The lists of authorizations and privileges have changed. There are new authorizations, removed privileges, and new privileges. Authorizations are now handled by number rather than by manifest constant.

The following authorizations have been added for the printing system:

• TSOL_AUTH_PRINT_CANCEL

• TSOL_AUTH_PRINT_LIST

• TSOL_AUTH_PRINT_MAC_OVERRIDE

The privilege PRIV_SYS_SYSTEM_DOOR has been added.

The following IL-related privileges have been removed:

• PRIV_FILE_DOWNGRADE_IL

• PRIV_FILE_NOFLOAT

• PRIV_FILE_UPGRADE_IL

• PRIV_IPC_DOWNGRADE_IL

• PRIV_IPC_NOFLOAT

• PRIV_IPC_UPGRADE_IL

• PRIV_NET_DOWNGRADE_IL

• PRIV_NET_NOFLOAT

• PRIV_NET_UPGRADE_IL

• PRIV_PROC_NOFLOAT

• PRIV_PROC_SETIL

• PRIV_WIN_DOWNGRADE_IL

• PRIV_WIN_NOFLOAT

• PRIV_WIN_UPGRADE_IL