| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Trusted Extensions Administrator's Procedures Oracle Solaris 10 8/11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Trusted Extensions Administrator's Procedures Oracle Solaris 10 8/11 Information Library |
1. Trusted Extensions Administration Concepts
2. Trusted Extensions Administration Tools
3. Getting Started as a Trusted Extensions Administrator (Tasks)
4. Security Requirements on a Trusted Extensions System (Overview)
Configurable Oracle Solaris Security Features
Trusted Extensions Interfaces for Configuring Security Features
Extension of Oracle Solaris Security Mechanisms by Trusted Extensions
Trusted Extensions Security Features
Security Requirements Enforcement
Users and Security Requirements
Rules When Changing the Level of Security for Data
5. Administering Security Requirements in Trusted Extensions (Tasks)
6. Users, Rights, and Roles in Trusted Extensions (Overview)
7. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
8. Remote Administration in Trusted Extensions (Tasks)
9. Trusted Extensions and LDAP (Overview)
10. Managing Zones in Trusted Extensions (Tasks)
11. Managing and Mounting Files in Trusted Extensions (Tasks)
12. Trusted Networking (Overview)
13. Managing Networks in Trusted Extensions (Tasks)
14. Multilevel Mail in Trusted Extensions (Overview)
15. Managing Labeled Printing (Tasks)
16. Devices in Trusted Extensions (Overview)
17. Managing Devices for Trusted Extensions (Tasks)
18. Trusted Extensions Auditing (Overview)
19. Software Management in Trusted Extensions (Tasks)
A. Quick Reference to Trusted Extensions Administration
In Solaris Trusted Extensions (CDE), users can add actions to the Front Panel and customize the Workspace menu. Trusted Extensions software limits users' ability to add programs and commands to CDE.
Anyone can drag and drop a pre-existing action from the Application Manager to the Front Panel, as long as the account performing the modification has the action in its profile. Actions in the /usr/dt/ or /etc/dt/ directories can be added to the Front Panel, but applications in the $HOME/.dt/appconfig directory cannot. While users can use the Create Action action, they cannot write into any of the directories where the system-wide actions are stored. Therefore, regular users cannot create actions that are usable.
In Trusted Extensions, the actions' search path has been changed. Actions in any individual's home directory are processed last instead of first. Therefore, no one can customize existing actions.
The Security Administrator role is assigned the Admin Editor action, so can make any needed modifications to the /usr/dt/appconfig/types/C/dtwm.fp file and the other configuration files for the Front Panel subpanels.
The Workspace Menu is the menu that appears when you click mouse button 3 on the background of the workspace. Regular users can customize the menu, and add items to the menu.
The following conditions apply when a user is allowed to work at multiple labels:
The user must have a home directory in the global zone.
To save the customizations, processes in the global zone must be able to write to the user's home directory at the correct label. The zone path to a user home directory that is writable by global zone processes is similar to the following:
/zone/zone-name/home/username
The user must use the Customize Menu and Add Item to Menu options in a regular user workspace. The user can create a different customization for each label.
When the user assumes a role, changes to the Workspace Menu persist.
Changes that are made to the Workspace Menu are stored in the user's home directory at the current label. The customized menu file is .dt/wsmenu.
The user's rights profile must enable the user to run the desired action.
Any action that is added to the Workspace Menu must be handled by one of the user's rights profiles. Otherwise, the action fails when invoked and an error message is displayed.
For example, anyone with the Run action can double-click the icon for any executable and run it, even if the action or any commands that the action invokes are not in one of the account's rights profiles. By default, roles are not assigned the Run action. Therefore, any menu item that requires the Run action fails when executed by a role.
|