Regressions Get Fixed

Some months ago I regretfully posted an entry entitled Regressions Shouldn't Happen.

All of the bugs referenced in that posting have been fixed and patches have been released. In addition, a large number of additional bugs have been found and fixed. The current list of required patches is available here, and on the OpenSolaris Trusted Extensions page.  If you are installing from the latest OpenSolaris build, or the upcoming Solaris 10 update 5 beta release, these fixes have already been incorporated into those distributions.

On a related issue, we have completed the integration of all of the "Extra Value" packages for Trusted Extensions into the standard Solaris and OpenSolaris metaclusters. I first wrote about this in Automatic Installation of Trusted Extensions.  Starting with the Solaris 10 update 5 beta release, there is no longer any separate installation step for Trusted Extensions software. To enable multilevel security you will need to enter the following SMF service:

svcadm enable -s labeld
Comments:

Woohoo, the metacluster integration is excellent news, and means we no longer have to scratch our heads about writing a TX module for JET :-). Two questions, though: is TX functionality available in everything from SUNWCrnet upwards, and is it feasible / supportable to modify label_encodings and then do a svcadm refresh labeld, rather than a full reboot?

Posted by Dave Walker on December 30, 2007 at 06:28 PM PST #

Yes, TX functionality is available in everything from SUNWCrnet upwards. The corresponding TX functionality for the multilevel desktop and the Solaris Management Console is in the appropriate metaclusters.

You can modify the label_encodings and restart the labeld service without rebooting. However, you should ensure that any classifications and compartments that were in use before restarting the label daemon retain their definition. Otherwise the administrative tools and the window manager won't be able to properly display them. The MAC policy enforcement implemented in the kernel and the X server only rely on binary labels. Label translation is required for user interaction, not for policy enforcement.

Posted by Glenn Faden on January 01, 2008 at 05:12 AM PST #

Another thought - if TX is going to be fully integrated into Solaris, rather than a separately-installed entity, can we expect to see TX patches become part of the standard 10_Recommended patch cluster, rather than the current situation of having to search for them and download them individually?

Posted by Dave Walker on January 31, 2008 at 05:41 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks