|
|
|
Multiple policy configurations |
Supports Secure by Default (labeled and unlabeled) and Trusted Extensions (labeled). |
Supports Targeted (unlabeled), Strict (unlabeled), and MLS (labeled). |
Policy hooks |
Uses a private set of policy hooks. |
Uses the Linux Security Module framework. |
Integration with the OS |
Tightly coupled with the Solaris OS. |
SELinux module is not available in all Linux distributions. |
Flexible policy |
- Implements consistent and reliable MLS policies in the kernel so policies are always in effect when labeling is enabled.
- Enhances the X11 server with MLS policy and provides some limited flexibility to address older X11 implementations.
|
- Relies on policy language primitives to explicitly declare the MLS rules for all object classes and data flows.
- Does not support any windowing system components.
|
File systems |
- Supports all the file systems that the Solaris OS supports.
- Provides MLS support for NFS clients and servers.
- Supports a heterogeneous system environment in conformance with MLS policy.
|
- Supports only the customized file systems.
- Does not include MLS support for NFS clients and servers.
- Does not support a heterogeneous system environment.
|
Device allocation |
Supports CD-ROM, diskette, and USB devices. |
Supports CD-ROM and diskette devices. |
Protection of higher-level file names |
Prevents a lower-level process from determining the existence or the name of higher-level files. |
Does not sufficiently protect names of higher-level files from being seen in a directory that is read-accessible to a process.
|
Performance |
Does not impact the performance of file I/O operations when labeling is enabled. |
Imposes a pronounced performance overhead to file I/O operations when the SELinux module is loaded. [1] |
Resource management |
Enables a security administrator to assign system resources to labeled zones based on sensitivity labels. |
Supports no comparable feature. |
Resource polyinstantiation versus resource sharing |
- Polyinstantiates all resources in a zone by default and specifies the sharing of individual file systems as part of the zone configuration.
- Supports polyinstantiated network ports.
|
- Uses a configuration file to enumerate the list of polyinstantiated directories and how they are polyinstantiated.
- Does not support polyinstantiated network ports.
|
Trusted processes |
- Uses LDAP to support a distributed TCB in the global zone, which eases administration.
- Prevents privilege escalation by protecting root-owned objects.
- Restricts access to the global zone by means of Trusted Path interfaces, such as the windowing system.
|
- Does not support a distributed TCB for SELinux policies.
- Uses the
newrole command with the sysadm_r role to transition the user to the sysadm_t domain.
- Associates the root user ID with most SELinux roles because all capabilities are required to perform operations prior to invoking the SELinux policy module.
|
Security context transitions |
Provides a one-way transition from the global zone to labeled zones. |
Provides a transition mechanism in which the execution of an application transitions the process to a new domain. |
Label specifications |
Conforms to the U.S. Government label encoding specification. |
Has minimal label translation functionality. |
User authorizations |
Uses authorizations to enable trusted programs to determine whether a user may perform a special function. |
Defines object classes and permissions that correspond to kernel-maintained objects but are not oriented to trusted application policy decisions. |
Trusted networking |
- Provides multilevel networking support with strategies to implicitly and explicitly label network packets.
- Supports CIPSO for IPv4 and IPv6.
- Uses IPsec with CIPSO.
- Provides network port polyinstantiation.
- Allows specification of explicit labels and ranges to include disjoint labels.
- Provides uniform APIs to determine the label of the network peer for any local or remote connection-oriented protocol.
|
- Provides multilevel networking support with strategies to implicitly and explicitly label network packets.
- Supports CIPSO for IPv4 only.
- Uses IPsec with labeled SAs.
- Does not provide network port polyinstantiation.
- Does not allow specification of explicit labels and ranges to include disjoint labels.
- Provides APIs to determine the label of the network peer, but only for IPsec and local connections.
|
Auditing and policy violations |
- Adds subject and object labels to Solaris audit events and records policy violations.
- Supports XML output format.
|
- Provides a permissive policy interpretation mode in which violations are permitted and logged in the audit trail.
- Must relabel file systems after running in permissive mode to properly record new file labels.
|
Multilevel printing |
Provides an RBAC authorization infrastructure. |
Does not provide an RBAC authorization infrastructure. |
Multilevel desktop environment |
Supports single-level and multilevel desktop environments. |
Does not support single-level or multilevel desktop environments. |
Product maturity |
- Continues a long tradition of trusted operating systems from Sun.
- Implements a new architecture based on zones, yet retains essentially all the features of its predecessor.
- Introduces the latest of the four multilevel windowing systems.
- Offers support, training, and extensive high-quality documentation.
|
- Discourages the use of the MLS policy configuration for general-purpose cases.
- Implements a significantly more complex solution for MLS and RBAC.
- Offers minimal documentation.
|
Print-friendly Version
