- Chapter 1: Overview
- Chapter 2: Solaris RBAC Implementation
- Chapter 3: Solaris Management Console Launcher
- Chapter 4: Trusted Solaris RBAC Implementation
- Chapter 5: Appendix 1--RBAC Example Instructions
- Chapter 6: Appendix 2--Comparison of the RBAC Implementation with Sudo
- Chapter 7: Resources
- Copyright Information
Chapter 4: Trusted Solaris RBAC Implementation
Sun's Trusted Solaris 8 Operating Environment is designed for deployments requiring enhanced security and policy enforcement. It uses the same model and databases to implement RBAC as the Solaris 8 environment. As mentioned earlier, the attributes in the databases are extensible; Trusted Solaris simply adds other key/value pairs. And the Trusted Solaris implementation has these additional features:
CDE actions can have security attributes assigned and can be packaged in rights profiles.
Two additional security attributes, privileges and sensitivity labels, can be assigned to commands and CDE actions.
A privilege is a discrete right granted to a process to perform an operation that would otherwise be prohibited by the Trusted Solaris environment. It is similar to an authorization but is assigned to processes rather than roles or users. Privileges can be passed from parent processes to the child processes they execute.
The file_dac_read privilege provides a good example of how privileges work. Processes cannot normally open data files unless they have the proper file permission. In the Trusted Solaris environment, the file_dac_read privilege gives a process the ability to override the UNIX file permissions for reading a file.
A sensitivity label is a tag applied to processes and files as part of mandatory access control. With mandatory access control, all users operate at a sensitivity label proportional to a level of trust, and all resources (files) are assigned sensitivity labels according to the degree to which specific classes of uses are permitted to see or modify them. The Trusted Solaris environment ensures that no process with an insufficient sensitivity label can access a file with higher sensitivity (at least not without an overriding authorization or privilege). Furthermore, no process can write a file at a lower sensitivity than the process's sensitivity label; this protects sensitive information from being downgraded.
Figure 10 compares the dialog boxes that apply security attributes in the Rights tool in both the Trusted Solaris and Solaris environments.
Figure 10 Comparison of Solaris and Trusted Solaris Security Attributes.
Figure 11 shows all RBAC elements available in the Trusted Solaris environment; those RBAC elements unique to the Trusted Solaris Environment appear in shaded boxes.
Figure 11 Trusted Solaris RBAC Element Assignments
The Solaris Management Console interface and the five RBAC databases (user_attr, auth_attr, prof_attr, exec_attr, and policy.conf) are used in the Trusted Solaris environment and are fully compatible with the Solaris environment. If a system running either the Trusted Solaris or Solaris environment encounters unrecognized attributes (key-value pairs) in these databases, the attributes are simply ignored. It is thus possible to administer hosts in one environment from a server in the other environment.
For more information on the Trusted Solaris environment, see the "Trusted Solaris 8 Operating Environment" white paper at http://www.sun.com/software/whitepapers.html#security.