Trusted Solaris Operating System - Technical FAQs
QuestionI was surprised when the window for a newly-installed application displayed without a label. I thought the window manager was responsible for the labels. Is the window unmanaged somehow? AnswerThe window manager is correctly managing the window. The application has simply requested that its window not have any decorations. The window system is always enforcing the Trusted Solaris security policy whether or not labels are displayed. The Trusted Solaris window system supports the display of labels in a region at the window's top. Whether a label displays and how much of it displays on an application's window depend a lot of factors. There is no requirement that every window must have a label. So, for example, windows brought up by the root role have no labels. And, the types of labels displayed for users or whether they see labels at all depends on how the security administrator has configured a user's account:
The trusted stripe and the trusted path menu give users a means to check the label of a window, providing protection against Trojan horse applications that might try to spoof labels. When administrators configure Trusted Solaris users to work at multiple labels and to see labels, they need to also educate the users to do checking of window labels. In summary, the Trusted Solaris environment addresses the risk of Trojan horses by providing tools for detection. Users need both to be educated and to make use of the tools provided. Because the trusted stripe cannot be obscured, and because both the trusted stripe and the Query Window label option on the Trusted Path menu provide means to obtain reliable label data, users cannot be spoofed by a Trojan horse application. Related InformationFollowing are some of the most important points that users and administrators should be aware of. For users who are configured to be able to see labels, a trusted stripe displays below the Front Panel at the bottom of the workspace. Users who cannot see labels see the trusted stripe as an icon. Users who are configured to see sensitivity labels should make a practice of checking the trusted stripe for its display of the sensitivity label of the window with the current focus. Instructions for Users To check the label of a window:
Users should also check the trusted stripe when using any option
from the trusted path menu, because any action performed from this
menu, such as entering a password, is security-relevant.
NOTE: for Administrators Query Window Label is always on the trusted path menu. The results of Query Window Label option depend on whether information labels are enabled, and whether the user's account is configured to hide SLs, hide ILs, or to hide both SLs and ILs. It is the security administrator's responsibility to ensure that inappropriate combinations are not assigned. For example, when the system has ILs disabled, a single IL is used system wide, and a user with the "show ILs" configuration might be confused.
Related DocumentationSee the "Elements of the Trusted Solaris Environment" in the Trusted Solaris User's Guide for snapshots of the trusted stripe, of the trusted shield, and for more information on the protections provided. Also see the "Changing Configurable Trusted Solaris Kernel Switches" in the Administrator's Procedures manual for how the setting of label-related kernel switches and user configuration options affect which labels a user sees in the trusted stripe. Applies to Trusted Solaris Release1,2, 2.5, 2.5.1, 7, 8 |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
 | | |||||||||||||||||||||||||||||||||||||||||||||||||||||||