JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

Initial Setup Team Responsibilities

Preparing an Oracle Solaris System and Adding Trusted Extensions

Install an Oracle Solaris System Securely

Prepare an Installed Oracle Solaris System for Trusted Extensions

Add Trusted Extensions Packages to an Oracle Solaris System

Resolving Security Issues Before Enabling Trusted Extensions

Secure System Hardware and Make Security Decisions Before Enabling Trusted Extensions

Enabling the Trusted Extensions Service and Logging In

Enable Trusted Extensions and Reboot

Log In to Trusted Extensions

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Enabling the Trusted Extensions Service and Logging In

In the Oracle Solaris OS, Trusted Extensions is a service that is managed by the Service Management Facility (SMF). The name of the service is svc:/system/labeld:default. By default, the labeld service is disabled.

Note - Your Trusted Extensions system does not require a network to run a desktop with a directly connected bitmapped display, such as a laptop or workstation. Network configuration is required to communicate with other systems.

Enable Trusted Extensions and Reboot

The labeld service attaches labels to communications endpoints. For example, the following are labeled:

Before You Begin

You have completed the tasks in Preparing an Oracle Solaris System and Adding Trusted Extensions and Resolving Security Issues Before Enabling Trusted Extensions.

You must be in the root role in the global zone.

  1. Move the panel from the top of the screen to the bottom of the screen.


    Caution - If you fail to move the panel, you might be unable to reach the desktop's main menu or panels when you log in to Trusted Extensions.

    1. Open a Terminal window and change to the /etc/gconf/2 directory.
      # cd /etc/gconf/2
    2. Activate the two trusted-extensions-desktop.
      # cp local-trusted-extensions-desktop-defaults.path.inactive \
      # cp local-trusted-extensions-desktop-mandatory.path.inactive \
  2. Open a terminal window and enable the labeld service.
    # svcadm enable -s labeld

    The labeld service adds labels to the system and starts the device allocation services.


    Caution - Do not perform other tasks on the system until the cursor returns to the prompt.

  3. Verify that the service is enabled.
    # svcs -x labeld
    svc:/system/labeld:default (Trusted Extensions)
     State: online since weekday month date hour:minute:second year
       See: labeld(1M)
    Impact: None.


    Caution - If you are enabling and configuring Trusted Extensions remotely, carefully review Chapter 12, Remote Administration in Trusted Extensions (Tasks). Do not reboot until you have configured the system to allow remote administration. If you do not configure the Trusted Extensions system for remote administration, you will be unable to reach it from a remote system.

  4. Reboot the system.
    # /usr/sbin/reboot

Next Steps

Continue with Log In to Trusted Extensions.

Log In to Trusted Extensions

Logging in places you in the global zone, which is an environment that recognizes and enforces mandatory access control (MAC).

At most sites, two or more administrators serve as an initial setup team and are present when configuring the system.

Before You Begin

You have completed Enable Trusted Extensions and Reboot.

  1. Log in by using the user account that you created during installation.

    In the login dialog box, type username, then type the password.

    Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her or his password to another person, or indirect, such as through writing it down or choosing an insecure password. Trusted Extensions provides protection against insecure passwords, but cannot prevent a user from disclosing her or his password or writing it down.

  2. Use the mouse to dismiss the Status window and the Clearance window.
  3. Dismiss the dialog box that says that the label PUBLIC has no matching zone.

    You will create the zone after you assume the root role.

  4. Assume the root role.
    1. Click your name in the trusted stripe.

      The root role appears in a pulldown menu.

    2. Select the root role.

      If prompted, create a new password for the role.

    Note - You must log out or lock the screen before leaving a system unattended. Otherwise, a person can access the system without having to pass identification and authentication, and that person would not be uniquely identified or accountable.

Next Steps

Continue with one of the following: