As just emailed to the fine folk on security-discuss-AT-opensolaris-DOT-org:
I will shortly have a working set of scripts to assist in the
configuration and administration of Trusted Extensions (TX) systems
as another element of the "TX-Ranger" initiative, which I've blogged
about a little at http://blogs.sun.com/davew/entry/building_tx_ranger.
The idea driving TX-Ranger is to make TXs much easier to set up,
play with, hack on, test software with and evaluate in a development
environment than it currently is. TX is stunning technology,
applicable to far more environments than those in which I see it
currently being considered, and it would be a huge shame if its
adoption was hampered by a lack of a few tools to make setting it up
a straightforward exercise. I want to "make the world a more labelled
place", so the easier it is for folk to flex TX's muscles for their
purposes, the wider I'll grin :-).
While Trusted Solaris 8 found an almost exclusive home in Defence and
Intelligence environments, changes in legislation and configuration
mean that Trusted Extensions is far more applicable to today's
academic and commercial world. Although the default set of labels
(in /etc/security/tsol/label_encodings) reflects this, many
organisations (and users) which don't traditionally do data
classification could still benefit enormously from it simply by
having two labels of "Internet" and "Internal", and allowing data to
be written up from "Internet" but not down to it, thus preventing
most types of data leak.
Glenn Faden already has some nifty tools for his "safe browsing"
environment posted at http://blogs.sun.com/gfaden/entry/
want_to_try_safe_browsing, but this still requires having the base
TX system configured correctly.
The TX-Ranger scripts automate much of the current manual effort
required to configure a TX environment. While I've been made aware
that some prototype Jumpstart tools exist for TX configuration, I
have been careful not to examine them as their Open status is not
currently guaranteed. The author of the TX-Ranger scripts being
offered, Jeff Turner of Context-Switch, has kindly agreed that
they can be released to opensolaris.org under a CDDL licence.
Among other things, these scripts (and attendant TX configuration
files) will reduce the administrative work needed to set up a new
label compartment element, to:
assign-compartment <name> <name presented in list by previous command>
...which is rather more straightforward than the current need to
manually modify label_encodings and either put hex-containing strings
into tnrhtp or do much mouse-shuffling around the Solaris Management
Also, once a label exists, actually making it function currently
involves assigning it to a zone, potentially assigning it its own
physical interface with zonecfg, cloning the zone, tweaking the
zone's config to give it an appropriate IP address, etc. While the
elegant little txzonemgr GUI tool makes some of this easier than it
sounds, it's still not as easy as:
activate-label <label> <physical interface> <IP addr>
...which is how one of the TX-Ranger scripts is driven :-).
I'd love to hear about how I can best share this material with the
OpenSolaris security community.
"The future's bright, the future's labelled" :-).
Client Solutions, Sun Microsystems UK
Tel: +44 780 3079264