test

Trusted Solaris Administrator's Procedures

To Add a Privilege to the Environment

Note -

Before you add a privilege, contact your Trusted Solaris representative to reserve a privilege number.

  1. Assume the Security Administrator role and go to an ADMIN_LOW workspace.

  2. Use the Admin Editor action to open the /usr/include/sys/tsol/priv_names.h file for editing.

    See "To Edit a Local File", if needed.

  3. Follow the directions in the comment at the top of the priv_names.h file, shown below.


    / *
* ********************** IMPORTANT **********************
*
* The privilege names should be maintained in alphabetical order
* not numeric order.
*
* When a privilege is retired it should be placed in the appropriate
* reserved area in the form "tsol_reserved## = ##," or
* "reserved## = ##".
*
* When a new privilege is needed, it should be taken from the first
* available privilege in the appropriate reserved area.
*
* ISVs, GOTS', integrators who need privileges are encouraged to
* request and retire them by contacting their respective Trusted
* Solaris support representative.
*
* This file is parsed by the priv_to_str(3) functions.
*
* In order to guarantee correct parsing, the format of the
* following priv_t definition must be preserved.
*
* Specifically, the following guidelines must be followed:
*
*	1. All privileges must have an explicitly assigned id.
*	   DO NOT RELY ON COMPILER TO ASSIGN IDs.
*
*	2. One privilege id assignment per line.
*	   DO NOT CONCATENATE OR BREAK LINES.
*
*	3. Do not use the `=' character at anywhere other than
*	   the privilege id assignment.
*	   For example, DO NOT use `=' in the comments.

  4. Create an entry in the priv_names.h file with the manifest constant for the privilege.

    A sample entry is below.


    PRIV_RISKY = 90,

  5. Save and close the file.

  6. Use the Admin Editor action to open the /usr/lib/tsol/locale/locale_name/priv_name file for editing.

    In the C locale, for example, you would edit the /usr/lib/tsol/locale/C/priv_name file.

  7. Create an entry with the privilege ID, name, and definition for the privilege in the priv_name file.

    Note -

    Make sure that you use the correct privilege ID.

    A sample entry is below.


    90:override everything:Allows a process to bypass all MAC and \
DAC checks and auditing flag settings and be otherwise totally \
unaccountable.

  8. Save and close the file.

  9. Copy the changed priv_names.h and priv_name files or make the same change in these files on all computers in the Trusted Solaris network.