Trusted Solaris 8 Release Notes

Previous: Trusted Solaris 7 Bugs Fixed in This Release

Known Problems with the Software

This section identifies known problems in the Trusted Solaris 8 software, describes them, and suggests solutions to them. These bugs may or may not be fixed in a future release.

bind and accept do not generate audit records (4256066)

The system calls bind and accept are audited through audit events (such as AUE_SOCKACCEPT) in the nt (network) audit class. When the network audit class is preselected for auditing, these events do not appear on the audit trail.

Workaround: None. Do not attempt to collect audit records for bind and accept.

The /etc/shadow file can be relabeled (4388344)

If a user mistypes a password for a local account, the label of the /etc/shadow file may change. This can cause subsequent login attempts to fail.

Workaround: If you mistype the password for a local account, have the security administrator immediately relabel the /etc/shadow file as ADMIN_LOW.

File system label ranges are not enforced for unlabeled NFS file systems (4150441)

This is a very unusual situation to be in. This requires that the administrator consciously configure a NFS remote host to be at one label, and the label range to be another.

Workaround: If you do not want to allow the creation of files at the default label for the server, mount the file system as "read-only". That does not affect existing files, but it prevents the creation of files at a label outside the label range.

Trusted Solaris label encodings file requires coding for ILs (4329208)

Although Trusted Solaris 8 does not support information labels (ILs), the label_encodings(4) command fails with the following error if the label_encodings file omits information about ILs.

   # chk_encodings label_encodings
   Label encodings conversion error at line 37:
      Can't find INFORMATION LABELS specification.
      Found instead: "SENSITIVITY LABELS:".
   label_encodings: label encodings syntax check failed.

Workaround: Copy a valid SENSITIVITY LABELS: section in your label_encodings file, and rename it to INFORMATION LABELS: :

INFORMATION LABELS: 
...
WORDS: 
...
REQUIRED COMBINATIONS: 
...
COMBINATION CONSTRAINTS:
...

Label daemon is not locale-aware (4384632)

The label daemon, labeld, always operates in the C locale.

Workaround: In locales where upper/lower case are not a direct mapping of the C locale, the classification and word names, short names, and alternate names in the label_encodings(4) file and all string labels in all databases must be in upper case only. Also, all labels must be entered in upper case only.

NIS (YP) account cannot see assigned profiles (4384781)

Execution attributes for commands/actions in profiles in NIS maps are not seen.

Workaround: Define profiles and execution attributes for actions/commands in the files (local) scope for NIS clients. Or, use NIS+ for your site's naming service.

The smosservice command fails to create OS server (4378498)

The SMC commands smosservice and smdiskless do not work correctly.

Workaround: Set up diskless service manually. On the OS server, name and allocate the client disk partitions during the installation program.

SMC auditing is incomplete (4358479)

The Rights and Serial Manager do not produce auditing records. There is a Solaris bug for this: 4357512. The Groups Manager audits modifications only. The tools to handle trusted network databases, Interface Manager and Security Families, are not audited.

Workaround: None. Do not expect to collect audit records for SMC tools.

SMC Mounts tool does not recognize Trusted Solaris attributes (4382753)

Trusted Solaris security attributes, such as allowed=all, cannot be set or viewed on a mounted file system using the SMC Mounts tool.

Workaround: Mount file systems and view the mounts on your system by using the mount(1M) command.

SMC returns error for a valid IPv6 address (4380852)

When using the Trusted Solaris Management Console, Computers and Networks, Security Families tool, an entry like the following is rejected:

   IP address:  2::45:b00:20ff:fe78
   Prefix length: 127 
   template: tsol

Workaround: Do not use double colons. For example, enter the above IP address in SMC as follows:

   IP address:  2:0:0:0:45:b00:20ff:fe78
   Prefix length: 127 
   template: tsol

SMC Scheduled Jobs tool supports admin_low jobs only (4385223)

The SMC Scheduled Jobs tool always runs at ADMIN_LOW even if the SMC client is running at a normal user label, like CONFIDENTIAL. The SMC server runs at ADMIN_LOW and does not consider the client's sensitivity label.

No error message is generated but the cron entry is stored at a label below the user's minimum label.

Workaround: To create cron jobs at labels other than ADMIN_LOW, use the crontab(1) command.

Switching between scopes in SMC is not robust (4381198)

If you use two different scopes during one invocation of SMC, entries can get saved into the wrong scope.

Workaround: Do not switch back and forth between scopes when using the SMC tools. When changing scope, quit and restart the SMC client.

The TSIX network protocol does not work (4291482)

The TSIX network protocol does not work.

Workaround: Use the TSOL network protocol.

Trusted Solaris 8 does not update the Solaris SUNWrdm package

Read the files in SUNWrdm for information on the basic Solaris 8 environment.

Workaround: For late-breaking news, use this book, Trusted Solaris 8 Release Notes.

CDE exit sometimes fails (4385479)

After a user clicks the EXIT icon on the front panel to exit, the system does not return to the login screen. Instead it just hangs with a gray screen. This bug is in base Xserver (4068021, 4378762).

Workaround:

Assume the admin role on another machine.
In the admin role, rlogin to the hung machine.

Find and kill the Xsun process.

   $ ps -ef | grep Xsun
     Xsun_proc_id
$ kill Xsun_proc_id

Drag and drop does not work for OpenLook applications (4095021)

Drag and drop operations do not work reliably for OpenLook applications.

Workaround: Use the copy and paste keys with OpenLook applications.

Selection Manager restarts in wrong locale (4094175)

If the selection manager process dies for any reason, it is automatically restarted. When it is restarted, it inherits the C locale instead of the locale it was originally started with.

Workaround: Log out and log back in.

The swmtool utility does not work (4284167)

The swmtool(1M) utility does not work in the Trusted Solaris 8 operating environment.

Workaround: Use the pkgadd(1M) utility. Or change the following line in /var/sadm/system/admin/INST_RELEASE to read Solaris:

# OS=Trusted Solaris
OS=Solaris

Previous: Trusted Solaris 7 Bugs Fixed in This Release