On an Oracle Solaris system, devices can be protected by allocation and by authorization. By default, devices are available to regular users without an authorization. A system that is configured with the Trusted Extensions feature uses the device protection mechanisms of the Oracle Solaris OS.
However, by default, Trusted Extensions requires that a device be allocated for use, and that the user be authorized to use the device. In addition, devices are protected by labels. Trusted Extensions provides a graphical user interface (GUI) for administrators to manage devices. The same interface is used by users to allocate devices.
For information about device protection in Oracle Solaris, see Chapter 4, Controlling Access to Devices, in Securing Systems and Attached Devices in Oracle Solaris 11.2 .
On a system that is configured with Trusted Extensions, two roles protect devices.
The System Administrator role controls access to peripheral devices.
The system administrator makes a device allocatable. Devices that the system administrator makes nonallocatable cannot be used by anyone. Allocatable devices can be allocated only by authorized users.
The Security Administrator role restricts the labels at which a device can be accessed and sets device policy. The security administrator decides who is authorized to allocate a device.
The following are the main features of device control with Trusted Extensions software:
By default, an unauthorized user on a Trusted Extensions system cannot allocate devices such as tape drives or CD-ROM drives.
A regular user with the Allocate Device authorization can import or export information at the label at which the user allocates the device.
Users invoke the Device Allocation Manager to allocate devices when they are logged in directly. To allocate a device remotely, users must have access to the global zone. Typically, only roles have access to the global zone.
The label range of each device can be restricted by the security administrator. Regular users are limited to accessing devices whose label range includes the labels at which the users are allowed to work. The default label range of a device is ADMIN_LOW to ADMIN_HIGH.
Label ranges can be restricted for both allocatable and nonallocatable devices. Nonallocatable devices are devices such as frame buffers and printers.