Glenn Faden's Blog

  • December 28, 2007

Regressions Get Fixed

Guest Author

Some months ago I regretfully posted an entry entitled Regressions Shouldn't Happen.

All of the bugs referenced in that posting have been fixed and patches have been released. In addition, a large number of additional bugs have been found and fixed. The current list of required patches is available here, and on the OpenSolaris Trusted Extensions page.  If you are installing from the latest OpenSolaris build, or the upcoming Solaris 10 update 5 beta release, these fixes have already been incorporated into those distributions.

On a related issue, we have completed the integration of all of the "Extra Value" packages for Trusted Extensions into the standard Solaris and OpenSolaris metaclusters. I first wrote about this in Automatic Installation of Trusted Extensions.  Starting with the Solaris 10 update 5 beta release, there is no longer any separate installation step for Trusted Extensions software. To enable multilevel security you will need to enter the following SMF service:

svcadm enable -s labeld

Join the discussion

Comments ( 3 )
  • Dave Walker Monday, December 31, 2007

    Woohoo, the metacluster integration is excellent news, and means we no longer have to scratch our heads about writing a TX module for JET :-). Two questions, though: is TX functionality available in everything from SUNWCrnet upwards, and is it feasible / supportable to modify label_encodings and then do a svcadm refresh labeld, rather than a full reboot?

  • Glenn Faden Tuesday, January 1, 2008

    Yes, TX functionality is available in everything from SUNWCrnet upwards. The corresponding TX functionality for the multilevel desktop and the Solaris Management Console is in the appropriate metaclusters.

    You can modify the label_encodings and restart the labeld service without rebooting. However, you should ensure that any classifications and compartments that were in use before restarting the label daemon retain their definition. Otherwise the administrative tools and the window manager won't be able to properly display them. The MAC policy enforcement implemented in the kernel and the X server only rely on binary labels. Label translation is required for user interaction, not for policy enforcement.

  • Dave Walker Friday, February 1, 2008

    Another thought - if TX is going to be fully integrated into Solaris, rather than a separately-installed entity, can we expect to see TX patches become part of the standard 10_Recommended patch cluster, rather than the current situation of having to search for them and download them individually?

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.