| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Trusted Extensions Administrator's Procedures |
1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
Configurable Oracle Solaris Security Features
Trusted Extensions Interfaces for Configuring Security Features
Extension of Oracle Solaris Security Mechanisms by Trusted Extensions
Trusted Extensions Security Features
Security Requirements Enforcement
Users and Security Requirements
Customization of Solaris Trusted Extensions (CDE)
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
18. Trusted Extensions Auditing (Overview)
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
By default, regular users can perform cut-and-paste, copy-and-paste, and drag-and-drop operations on both files and selections. The source and target must be at the same label.
To change the label of files, or the label of information within files requires authorization. When users are authorized to change the security level of data, the Selection Manager application mediates the transfer. In Trusted CDE, the /usr/dt/config/sel_config file controls file relabeling actions, and the cutting and copying of information to a different label. In Trusted JDS, the /usr/share/gnome/sel_config file controls these transfers. In Trusted CDE, the /usr/dt/bin/sel_mgr application controls drag-and-drop operations between windows. As the following tables illustrate, the relabeling of a selection is more restrictive than the relabeling of a file.
The following table summarizes the rules for file relabeling. The rules cover cut-and-paste, copy-and-paste, and drag-and-drop operations.
Table 4-1 Conditions for Moving Files to a New Label
|
Different rules apply to selections within a window or file. Drag-and-drop of selections always requires equality of labels and ownership. Drag-and-drop between windows is mediated by the Selection Manager application, not by the sel_config file.
The rules for changing the label of selections are summarized in the following table.
Table 4-2 Conditions for Moving Selections to a New Label
|
Trusted Extensions provides a selection confirmer to mediate label changes. This window appears when an authorized user attempts to change the label of a file or selection. The user has 120 seconds to confirm the operation. To change the security level of data without this window requires the solaris.label.win.noview authorization, in addition to the relabeling authorizations. The following illustration shows a selection, zonename, in the window.
By default, the selection confirmer displays whenever data is being transferred to a different label. If a selection requires several transfer decisions, the automatic reply mechanism provides a way to reply once to the several transfers. For more information, see the sel_config(4) man page and the following section.
The sel_config file is checked to determine the behavior of the selection confirmer when an operation would upgrade or downgrade a label.
The sel_config file defines the following:
A list of selection types to which automatic replies are given
Whether certain types of operations can be automatically confirmed
Whether a selection confirmer dialog box is displayed
In Trusted CDE, the Security Administrator role can change the defaults by using the Configure Selection Confirmation action in the Trusted_Extensions folder. The new settings become effective at the next login. In Solaris Trusted Extensions (JDS), the CDE action is not available. To change the defaults, modify the /usr/share/gnome/sel_config file in a text editor.
|