116 CHAPTER 8. CASE STUDY: SOLARIS TRUSTED EXTENSIONS
The network attributes database is maintained in an LDAP directory and shared by all trusted
systems comprising a network of multilevel systems. IPsec can be used to authenticate the source
IP addresses associated with incoming network packets. IPsec enforces integrity protection, and is
used to encrypt data on multilevel networks.
Zones can be conﬁgured to share a single IP address, or they can be assigned unique IP
addresses. Similarly, they can share the same physical network interface, or can be conﬁgured to use
separate network interfaces. Both shared and per-zone IP addresses can be used concurrently, with
different labeling policies for each IP address. Solaris Zones technology allows multiple zones to
share a single network interface through the use of virtual interfaces.
Sharing of IP addresses is possible in Trusted Extensions bec ause each packet is labeled. When
a packet is received, the kernel uses the label of the packet to determine the appropriate zone to which
it is authorized to be delivered. Sharing a single IP address for all zones is convenient for workstations
and laptops, especiall y when DHCP is used. This simpliﬁes deployment into infrastructures with
limited IP addresses.
8.7 TRUSTED EXTENSIONS MULTILEVEL SERVICES
By default Solaris 10 with Trusted Extensions enables the following multilevel services:
• X11 Window System with the Common Desktop Environment (CDE) or the Gnome-
• Printing using the Internet Protocol Printing or BSD Protocol Printing
• Network File System
• S un Directory Server (LDAP server)
• Label Translation Service
• Name Service Cache Daemon
All other services are polyinstantiated in each zone. However, additional multilevel services
such as Web Servers and Secure Shell can be enabled administratively via theTrusted Path.We discuss
the multilevel window system and printing in detail below. We also discuss the use of multilevel
services across the network, using the labeled networking described in the previous section.
Users can log in via the Trusted Path and can be authorized to select their multilevel desktop
preference (CDE or Gnome-based). Once authenticated they are presented with an option to select
an explicit label or a range of labels within their clearance and the label range of their workstation or
Sun R ay desktop unit.The window system initiates a user session in the zone whose label corresponds
to the user’s default or minimum label.
The window system provides menus for interacting with the Trusted Path to change the label
of the current workspace or to create additional labeled workspaces. For each selected label, the
8.7. TRUSTED EXTENSIONS MULTILEVEL SERVICES 117
window system starts another user session in the corresponding zone. All of these user sessions run
concurrently and are subjects of the user’s identity that was established during the initial authen-
tication. Each window is visibly labeled according to the zone or host with which it is associated.
Although users can simultaneously interact with windows running in multiple zones,the applications
themselves remain isolated.
Attempts to cut and paste data, or drag and drop ﬁles between clients running in different zone
are mediated by the Trusted Path. Speciﬁc authorizations are required for upgrading or downgrading
selections and ﬁles, and are prohibited by default. Figure 8.4 shows a screen shot of an authorized
user interacting with the Trusted Path to upgrade a selection.
Figure 8.4: Multilevel Cut and Paste in Trusted JDS
Devices represent a security threat because they can be used to import and export data from the
system. In Trusted Extensions, removable media devices are administered through the Trusted Path
menu. The window system provides a Trusted Path inter face for device allocation which provides