This section identifies known problems in the Trusted Solaris 8 software, describes them, and suggests solutions to them. These bugs may or may not be fixed in a future release.
The system calls bind and accept are audited through audit events (such as AUE_SOCKACCEPT) in the nt (network) audit class. When the network audit class is preselected for auditing, these events do not appear on the audit trail.
Workaround: None. Do not attempt to collect audit records for bind and accept.
If a user mistypes a password for a local account, the label of the /etc/shadow file may change. This can cause subsequent login attempts to fail.
Workaround: If you mistype the password for a local account, have the security administrator immediately relabel the /etc/shadow file as ADMIN_LOW
.
This is a very unusual situation to be in. This requires that the administrator consciously configure a NFS remote host to be at one label, and the label range to be another.
Workaround: If you do not want to allow the creation of files at the default label for the server, mount the file system as "read-only". That does not affect existing files, but it prevents the creation of files at a label outside the label range.
Although Trusted Solaris 8 does not support information labels (ILs), the label_encodings(4) command fails with the following error if the label_encodings file omits information about ILs.
# chk_encodings label_encodings Label encodings conversion error at line 37: Can't find INFORMATION LABELS specification. Found instead: "SENSITIVITY LABELS:". label_encodings: label encodings syntax check failed.
Workaround: Copy a valid SENSITIVITY LABELS: section in your label_encodings file, and rename it to INFORMATION LABELS: :
INFORMATION LABELS: ... WORDS: ... REQUIRED COMBINATIONS: ... COMBINATION CONSTRAINTS: ...
The label daemon, labeld, always operates in the C locale.
Workaround: In locales where upper/lower case are not a direct mapping of the C locale, the classification and word names, short names, and alternate names in the label_encodings(4) file and all string labels in all databases must be in upper case only. Also, all labels must be entered in upper case only.
Execution attributes for commands/actions in profiles in NIS maps are not seen.
Workaround: Define profiles and execution attributes for actions/commands in the files (local) scope for NIS clients. Or, use NIS+ for your site's naming service.
The SMC commands smosservice and smdiskless do not work correctly.
Workaround: Set up diskless service manually. On the OS server, name and allocate the client disk partitions during the installation program.
The Rights and Serial Manager do not produce auditing records. There is a Solaris bug for this: 4357512. The Groups Manager audits modifications only. The tools to handle trusted network databases, Interface Manager and Security Families, are not audited.
Workaround: None. Do not expect to collect audit records for SMC tools.
Trusted Solaris security attributes, such as allowed=all, cannot be set or viewed on a mounted file system using the SMC Mounts tool.
Workaround: Mount file systems and view the mounts on your system by using the mount(1M) command.
When using the Trusted Solaris Management Console, Computers and Networks, Security Families tool, an entry like the following is rejected:
IP address: 2::45:b00:20ff:fe78 Prefix length: 127 template: tsol
Workaround: Do not use double colons. For example, enter the above IP address in SMC as follows:
IP address: 2:0:0:0:45:b00:20ff:fe78 Prefix length: 127 template: tsol
The SMC Scheduled Jobs tool always runs at ADMIN_LOW
even if the SMC client is running at a normal user label, like CONFIDENTIAL
. The SMC server runs at ADMIN_LOW
and does
not consider the client's sensitivity label.
No error message is generated but the cron entry is stored at a label below the user's minimum label.
Workaround: To create cron jobs at labels other than ADMIN_LOW
, use the crontab(1) command.
If you use two different scopes during one invocation of SMC, entries can get saved into the wrong scope.
Workaround: Do not switch back and forth between scopes when using the SMC tools. When changing scope, quit and restart the SMC client.
The TSIX network protocol does not work.
Workaround: Use the TSOL network protocol.
Read the files in SUNWrdm for information on the basic Solaris 8 environment.
Workaround: For late-breaking news, use this book, Trusted Solaris 8 Release Notes.
After a user clicks the EXIT icon on the front panel to exit, the system does not return to the login screen. Instead it just hangs with a gray screen. This bug is in base Xserver (4068021, 4378762).
Assume the admin role on another machine.
In the admin role, rlogin to the hung machine.
Find and kill the Xsun process.
$ ps -ef | grep Xsun Xsun_proc_id $ kill Xsun_proc_id
Drag and drop operations do not work reliably for OpenLook applications.
Workaround: Use the copy and paste keys with OpenLook applications.
If the selection manager process dies for any reason, it is automatically restarted. When it is restarted, it inherits the C locale instead of the locale it was originally started with.
Workaround: Log out and log back in.
The swmtool(1M) utility does not work in the Trusted Solaris 8 operating environment.
Workaround: Use the pkgadd(1M) utility. Or change the following line in /var/sadm/system/admin/INST_RELEASE to read Solaris:
# OS=Trusted Solaris OS=Solaris