test

Trusted Solaris Installation and Configuration

Trusted Solaris Modifications to Network Installation

Trusted Solaris software modifies network installation commands and procedures that require greater security. For example, the Volume Manager adds a mounting-user directory when mounting devices in the Trusted Solaris environment.

Table 7-1 Trusted Solaris Differences in Network Installation

Solaris Software  

Trusted Solaris Software 

You can log in as root. 

There is no superuser. You log in as a user who can assume the root role, or as a user who can assume the admin or secadmin role, depending on the task. Then, assume the role to perform the task. 

Processes and files do not have a label. 

All processes and files are labeled. Commands and actions are run at a particular label. Most administrative tasks are run at the label ADMIN_LOW.

Administrators can often use a command line interface, even if a corresponding GUI equivalent exists. 

Many administrative commands are run from a GUI, which calls checking and synchronizing functions. 

Administrators can run an administrative command from a CD-ROM or diskette. 

Commands that are on a diskette or CD-ROM, or are accessible from an NFS mount, may need to be added to the admin role's profile before they can be run. 

Allows you to use a CD-ROM or diskette without allocating it. 

Requires you to allocate a peripheral device at a particular label before its use. Before removing the medium, you must deallocate it. 

Modifications to Network Installation Commands

The following commands and actions are used when installing Solaris software or Trusted Solaris software over a network, and their use is modified in the Trusted Solaris environment. The following listing describes the additional procedures or security requirements. Commands that do not require a change in procedure are not listed. See the "Preparing to Install Solaris Software Over the Network" in Solaris 8 Advanced Installation Guide for the installation procedures themselves.

Table 7-2 Modified Network Commands

Network Command or GUI 

Trusted Solaris Modification in its Use 

setup_install_server(1M)

add_install_client(1M)

add_to_install_server(1M)

rm_install_client(1M)

You must be in the admin role, at label ADMIN_LOW, in a terminal where the command is in a profile assigned to the admin role.

If the admin role does not have this /pathname/*install* command in its assigned profiles, the secadmin role, at label ADMIN_LOW, must add it to the Custom Admin Role profile.

For the procedure, see "Modifying a Role's Rights".

mount(1M)

The admin role, at label ADMIN_LOW, runs this command.

If you are mounting a CD-ROM or diskette on an installed system, the admin role must allocate the device at a particular label, usually ADMIN_LOW. When the medium is removed, the device must be deallocated.