An Update on Sensitivity Labels as ZFS Attributes
Last December I posted an entry entitled Maintaining Zone Labels as ZFS Attributes in which I described a prototype for persistent labeling of ZFS datasets. This has become a real project, Security Labels for ZFS and has been assigned case number PSARC/2009/348 . Here is a link to the one-pager.
You can follow along with the review process or contribute to the discussion of the case here.
Posted at 12:15PM Jun 10, 2009 by gfaden in Personal | Comments[0]
Trusted Extensions in OpenSolaris 2009.06
Last week I attended Community One at which the latest release of OpenSolaris was announced. As in previous versions, running Trusted Extensions requires a few workarounds to deal with changes in zone behavior such as cloning and the use of IPS packages. The steps are described here.
One outstanding issue is the support of sparse-root zones. This is the feature in which the non-global zones share read-only mounts of the global zone's filesystems, such as /usr, /lib, /platform, /sbin, and /opt. While this feature is currently being used in the Trusted Extensions labeled zone configuration, it is not supportable by the underlying IPS packaging system. There is a more complete discussion on this issue in Dan Price's blog entry A field guide to Zones in OpenSolaris 2008.05.
While we are evaluating alternatives to the sparse-root zone configuration, we plan to provide an updated installation procedure based on whole-root zones. These labeled zones will contain only the packages which are necessary and sufficient to run the multilevel desktop. Since all the zones are based on ZFS datasets, cloning will be used to minimize disk space and installation time. These updates will be made available in the Development Release Packaging Repository. I'll make another posting when they are available for download.
Posted at 12:36PM Jun 06, 2009 by gfaden in Personal | Comments[0]
Safe Browsing Revisited
Almost three years ago I posted an entry entitled Safe Browsing and URL Forwarding in which I described how labeled web browsers could be launched at the label corresponding to the web site. Now BlueSpace has extended that concept in a new product called BlueSpace Multilevel Search and Share (S2). Using their Trusted Service Bus, Trusted Extensions, and Google's enterprise search appliance, they are able to aggregate the search results from multiple labeled networks, without upgrading the data. Search results are labeled according to the network on which they were found. Clicking on a link opens up a browser in a labeled zone corresponding to the label of the data. Using this approach, avoids the problems associated with moving or elevating data between classified networks using guards or proxies.
Here is a link to their press release describing the work in progress.
Posted at 12:05PM Jun 06, 2009 by gfaden in Personal | Comments[0]