Changing the policy.conf defaults in Trusted Extensions is identical to changing any security-relevant system file in Oracle Solaris. Use this procedure to change the defaults for all users of a system.
Before You Begin
You must be in the root role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.
For Trusted Extensions keywords, see Table 10–1.
# pfedit /etc/security/policy.conf
In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the root role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:
IDLECMD=LOGOUT
The administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the root role adds the IDLETIME keyword=value pair to the policy.conf file as follows:
IDLETIME=10
The system now logs out the user after the system is idle for 10 minutes.
Note that if the login user assumes a role, the user's IDLECMD and IDLETIME values are in effect for that role.
Example 11-2 Modifying Every User's Basic Privilege SetIn this example, the security administrator of a large Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the root role removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is uncommented and modified as follows:
PRIV_DEFAULT=basic,!proc_infoExample 11-3 Assigning Printing-Related Authorizations to All Users of a System
In this example, site security permits a public kiosk computer to print without labels. On the public kiosk, the root role modifies the value for AUTHS_GRANTED in the /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.
AUTHS_GRANTED=solaris.print.unlabeled
Then, the administrator decides to save paper by removing banner and trailer pages. The administrator further modifies the policy.conf entry.
AUTHS_GRANTED=solaris.print.unlabeled,solaris.print.nobanner
After the public kiosk is rebooted, all print jobs are unlabeled, and have no banner or trailer pages.