Customizing the User Environment for Security (Task Map)
The following task map describes common tasks that you can perform when customizing
a system for all users, or when customizing an individual user's account.
How to Modify Default User Label Attributes
You can modify the default user label attributes during the configuration of the
first system. The changes must be copied to every Trusted Extensions host.
Before You Begin
You must be in the Security Administrator role in the global zone.
For details, see How to Enter the Global Zone in Trusted Extensions.
- Review the default user attribute settings in the /etc/security/tsol/label_encodings file.
For the defaults, see label_encodings File Defaults.
- Modify the user attribute settings in the label_encodings file.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions. In Trusted CDE, you can
also use the Edit Label Encodings action. For details, see How to Start CDE Administrative Actions in Trusted Extensions.
The label_encodings file should be the same on all hosts.
- Distribute a copy of the file to every Trusted Extensions host.
How to Modify policy.conf Defaults
Changing the policy.conf defaults in Trusted Extensions is similar to changing any security-relevant
system file in the Solaris OS. In Trusted Extensions, you use a trusted
editor to modify system files.
Before You Begin
You must be in the Security Administrator role in the global zone.
For details, see How to Enter the Global Zone in Trusted Extensions.
- Review the default settings in the /etc/security/policy.conf file.
For Trusted Extensions keywords, see Table 12-1.
- Modify the settings.
Use the trusted editor to edit the system file. For details, see How to Edit Administrative Files in Trusted Extensions.
Example 13-1 Changing the System's Idle Settings
In this example, the security administrator wants idle systems to return to the
login screen. The default locks an idle system. Therefore, the Security Administrator role
adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:
IDLECMD=LOGOUT
The administrator also wants systems to be idle a shorter amount of time
before logout. Therefore, the Security Administrator role adds the IDLETIME keyword=value pair
to the policy.conf file as follows:
IDLETIME=10
The system now logs out the user after the system is idle
for 10 minutes.
Example 13-2 Modifying Every User's Basic Privilege Set
In this example, the security administrator of a Sun RayTM installation does not want
regular users to view the processes of other Sun Ray users. Therefore, on
every system that is configured with Trusted Extensions, the administrator removes proc_info from
the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is
modified as follows:
PRIV_DEFAULT=basic,!proc_info
Example 13-3 Hiding Labels on a System
In this example, the security administrator changes the default setting in a system's
policy.conf file to hide labels. Any user on this system would not view
labels, unless the user was specifically configured to be able to view labels.
This setting is reasonable on a single-label system, or on a system that
is available to the general public.
# /etc/security/policy.conf
…
LABELVIEW=hidesl
To configure a user to override this setting, see How to Hide Labels From a User.
Example 13-4 Assigning Printing-Related Authorizations to All Users of a System
In this example, the security administrator enables a public kiosk computer to print
without labels by typing the following in the computer's /etc/security/policy.conf file. At
the next boot, print jobs by all users of this kiosk print without
page labels.
AUTHS_GRANTED= solaris.print.unlabeled
Then, the administrator decides to save paper by removing banner and trailer pages.
She first ensures that the Always Print Banners checkbox in the Print Manager
is not selected. She then modifies the policy.conf entry to read the following
and reboots. Now, all print jobs are unlabeled, and have no banner or
trailer pages.
AUTHS_GRANTED= solaris.print.unlabeled,solaris.print.nobanner
How to Configure Startup Files for Users in Trusted Extensions
Users can put a .copy_files file and .link_files file into their home
directory at the label that corresponds to their minimum sensitivity label. Users can
also modify the existing .copy_files and .link_files files at the users' minimum label.
This procedure is for the administrator role to automate the setup for a
site.
Before You Begin
You must be in the System Administrator role in the global zone.
For details, see How to Enter the Global Zone in Trusted Extensions.
- Create two Trusted Extensions startup files.
You are going to add .copy_files and .link_files to your list of startup files.
# cd /etc/skel
# touch .copy_files .link_files
- Customize the .copy_files file.
- Start the trusted editor.
For details, see How to Edit Administrative Files in Trusted Extensions.
- Type the full pathname to the .copy_files file.
/etc/skel/.copy_files
- Type into .copy_files, one file per line, the files to be copied into
the user's home directory at all labels.
Use .copy_files and .link_files Files for ideas. For sample files, see Example 13-5.
- Customize the .link_files file.
- Type the full pathname to the .link_files file in the trusted editor.
/etc/skel/.link_files
- Type into .link_files, one file per line, the files to be linked into
the user's home directory at all labels.
- Customize the other startup files for your users.
- (Optional) Create a skelP subdirectory for users whose default shell is a profile shell.
The P indicates the Profile shell.
- Copy the customized startup files into the appropriate skeleton directory.
- Use the appropriate skelX pathname when you create the user.
The X indicates the letter that begins the shell's name, such as B
for Bourne, K for Korn, C for a C shell, and P for Profile
shell.
Example 13-5 Customizing Startup Files for Users
In this example, the security administrator configures files for every user's home directory.
The files are in place before any user logs in. The files are
at the user's minimum label. At this site, the users' default shell is
the C shell.
The security administrator creates a .copy_files and a .link_files file in the trusted
editor with the following contents:
## .copy_files for regular users
## Copy these files to my home directory in every zone
.mailrc
.mozilla
.soffice
:wq
## .link_files for regular users with C shells
## Link these files to my home directory in every zone
.cshrc
.login
.Xdefaults
.Xdefaults-hostname
:wq
## .link_files for regular users with Korn shells
# Link these files to my home directory in every zone
.ksh
.profile
.Xdefaults
.Xdefaults-hostname
:wq
In the shell initialization files, the administrator ensures that the users' print jobs
go to a labeled printer.
## .cshrc file
setenv PRINTER conf-printer1
setenv LPDEST conf-printer1
## .ksh file
export PRINTER conf-printer1
export LPDEST conf-printer1
The administrator modifies the .Xdefaults-home-directory-server file to force the dtterm command to source
the .profile file for a new terminal.
## Xdefaults-HDserver
Dtterm*LoginShell: true
The customized files are copied to the appropriate skeleton directory.
$ cp .copy_files .link_files .cshrc .login .profile \
.mailrc .Xdefaults .Xdefaults-home-directory-server \
/etc/skelC
$ cp .copy_files .link_files .ksh .profile \
.mailrc .Xdefaults .Xdefaults-home-directory-server \
/etc/skelK
Troubleshooting
If you create a .copy_files files at your lowest label, then log in
to a higher zone to run the updatehome command and the command fails
with an access error, try the following:
Verify that from the higher-level zone you can view the lower-level directory.
higher-level zone# ls /zone/lower-level-zone/home/username
ACCESS ERROR: there are no files under that directory
If you cannot view the directory, then restart the automount service in the higher-level zone:
higher-level zone# svcadm restart autofs
Unless you are using NFS mounts for home directories, the automounter in the
higher-level zone should be loopback mounting from /zone/lower-level-zone/export/home/username to /zone/lower-level-zone/home/username.
How to Lengthen the Timeout When Relabeling Information
In Trusted Extensions, the Selection Manager mediates transfers of information between labels. The
Selection Manager appears for drag-and-drop operations, and for cut-and-paste operations. Some applications require
that you set a suitable timeout so that the Selection Manager has time
to intervene. A value of two minutes is sufficient.
Caution - Do not change the default timeout value on an unlabeled system. The operations
fail with the longer timeout value.
Before You Begin
You must be in the System Administrator role in the global zone.
For details, see How to Enter the Global Zone in Trusted Extensions.
- For the StarOfficeTM application, do the following:
- Navigate to the file office-install-directory/VCL.xcu.
where office-install-directory is the StarOffice installation directory, for example:
office-top-dir/share/registry/data/org/staroffice
- Change the SelectionTimeout property value to 120.
Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.
The default value is three seconds. A value of 120 sets the
timeout to two minutes.
- For users of applications that rely on the GNOME ToolKit (GTK) library, change
the selection timeout property value to two minutes.
Note - As an alternative, you could have each user change the selection timeout property
value.
Most Sun JavaTM Desktop System applications use the GTK library. Web browsers
such as Mozilla, Firefox, and Thunderbird use the GTK library.
By default, the selection timeout value is 300, or five seconds. A
value of 7200 sets the timeout to two minutes.
- Create a GTK startup file.
Name the file .gtkrc-mine. The .gtkrc-mine file belongs in the user's home directory
at the minimum label.
- Add the selection timeout value to the file.
## $HOME/.gtkrc-mine file
*gtk-selection-timeout: 7200
As in the Solaris OS, the gnome-settings-daemon reads this file on startup.
- (Optional) Add the .gtkrc-mine file to the list in each user's .link_files file.
For details, see How to Configure Startup Files for Users in Trusted Extensions.
How to Log In to a Failsafe Session in Trusted Extensions
In Trusted Extensions, failsafe login is protected. If a regular user has customized
shell initialization files and now cannot log in, you can use failsafe login
to fix the user's files.
Before You Begin
You must know the root password.
- As in the Solaris OS, choose Options –> Failsafe Session on the login
screen.
- At the prompt, have the user provide the user name and password.
- At the prompt for the root password, provide the password for root.
You can now debug the user's initialization files.