1. Introduction to Solaris Trusted Extensions Software
2. Logging In to Trusted Extensions (Tasks)
3. Working in Trusted Extensions (Tasks)
Visible Desktop Security in Trusted Extensions
Trusted Extensions Logout Process
How to Lock and Unlock Your Screen
How to Log Out of Trusted Extensions
How to View Your Files in a Labeled Workspace
How to Access the Trusted Extensions Man Pages
How to Access Trusted Extensions Online Help
How to Customize the CDE Workspace Menu
How to Access Initialization Files at Every Label
How to Interactively Display a Window Label
How to Perform Some Common Desktop Tasks in Trusted Extensions
How to Change Your Password in Trusted Extensions
How to Log In at a Different Label
How to Allocate a Device in Trusted Extensions
How to Deallocate a Device in Trusted Extensions
How to Assume a Role in Trusted Extensions
How to Change the Label of a Workspace
How to Add a Workspace at a Particular Label
How to Switch to a Workspace at a Different Label
How to Move a Window to a Different Workspace
How to Determine the Label of a File
How to Move Data Between Labels
How to Move Files Between Labels in Trusted CDE
Caution - If the trusted stripe is missing from your workspace, contact the security administrator. The problem with your system could be serious. The trusted stripe should not appear during login, or when you lock your screen. If the trusted stripe shows, contact the administrator immediately. |
If you leave your workstation briefly, lock the screen.
Figure 3-1 Front Panel Switch Area
Figure 3-2 Lock Screen Selection
The screen turns black. At this point, only you can log in again.
Note - The trusted stripe should not appear when the screen is locked. If the stripe does appear, notify the security administrator immediately.
If the Lock Screen dialog box does not appear, press the Return key.
This action returns you to your session in its previous state.
At most sites, the screen automatically locks after a specified period of idleness. If you expect to leave the workstation for awhile, or if you expect someone else to use your workstation, log out.
For a picture of the Front Panel, see Figure 3-1.
The Logout Confirmation dialog box is displayed.
The Logout Confirmation dialog box is displayed.
Logging out is the normal way to end a Trusted Extensions session. Use the following procedure if you need to turn off your workstation.
Note - If you are not on the console, you cannot shut down the system. For example, Sun Ray clients cannot shut down the system.
Confirm the shutdown.
Click mouse button 3 over the background to open the menu.
To view your files, you use the same applications that you would use in Trusted CDE or Trusted JDS on a Solaris system. If you are working at multiple labels, only the files that are at the label of the workspace are visible.
Click mouse button 3 over the background. From the Workspace menu, choose Programs –> Terminal.
Figure 3-3 A Labeled File Manager
The File Manager appears with the contents of your home directory at that label.
The File Manager opens at the same label as the current workspace. The application provides access to only those files that are at its label. For details about viewing files at different labels, see Containers and Labels.
Click mouse button 3 over the background. From the menu, choose Open Terminal.
These folders open in a File Browser. The File Browser application opens at the same label as the current workspace. The application provides access to only those files that are at its label. For details about viewing files at different labels, see Containers and Labels.
% man -s 3tsol intro
For a list of user commands that are specific to Trusted Extensions, see Appendix B, List of Trusted Extensions Man Pages, in Oracle Solaris Trusted Extensions Administrator’s Procedures.
The man pages are also available from Sun's documentation web site.
% man trusted_extensions
For a list of user commands that are specific to Trusted Extensions, see Appendix B, List of Trusted Extensions Man Pages, in Oracle Solaris Trusted Extensions Administrator’s Procedures.
Figure 3-4 Trusted Extensions Online Help
In Trusted CDE, users and roles can customize the Workspace menu for each distinct label.
A dialog box with a Browse button appears.
A File Manager appears.
Click the Browse button to show the files that are available for this workspace at this label.
The items are added to the top of the Workspace menu.
You can modify permissions here. You can also view file information and file sensitivity label.
The Workspace menu reflects your changes.
Linking a file or copying a file to another label is useful when you want to make a file with a lower label visible at higher labels. The linked file is only writable at the lower label. The copied file is unique at each label and can be modified at each label. For more information, see .copy_files and .link_files Files in Oracle Solaris Trusted Extensions Administrator’s Procedures.
You must be logged in to a multilevel session. Your site's security policy must permit linking.
Work with your administrator when modifying these files.
Type your entries one file per line. You can specify paths to subdirectories in your home directory, but you cannot use a leading slash. All paths must be within your home directory.
Copying an initialization file is useful when you have an application that always writes to a file with a specific name, and you need to separate the data at different labels.
Type your entries one file per line. You can specify paths to subdirectories in your home directory, but you cannot use a leading slash. All paths must be within your home directory.
Example 3-1 Creating a .copy_files File
In this example, the user wants to customize several initialization files per label. In her organization, a company web server is available at the Restricted level. So, she sets different initial settings in the .mozilla file at the Restricted level. Similarly, she has special templates and aliases at the Restricted level. So, she modifies the .aliases and .soffice initialization files at the Restricted level. She can easily modify these files after creating the .copy_files file at her lowest label.
% vi .copy_files # Copy these files to my home directory in every zone .aliases .mozilla .soffice
Example 3-2 Creating a .link_files File
In this example, the user wants her mail defaults and shell defaults to be identical at all labels.
% vi .link_files # Link these files to my home directory in every zone .cshrc .mailrc
These files do not have safeguards for dealing with anomalies. Duplicate entries in both files or file entries that already exist at other labels can cause errors.
This operation can be useful to identify the label of a partially hidden window.
The pointer changes to a question mark.
The label for the region under the pointer is displayed in a small rectangular box at the center of the screen.
Figure 3-5 Query Window Label Operation
Some common tasks are affected by labels and security. In particular, the following tasks are affected by Trusted Extensions:
Emptying the trash
Finding calendar events
In Trusted CDE, restoring the Front Panel and using the Style Manager
The trash can contains files only at the label of the workspace. Delete sensitive information as soon as the information is in the trash can.
Choose File -> Select All, then File -> Shred. Then, confirm.
Choose Empty Trash, then confirm.
Calendars show only the events at the label of the workspace that opened the calendar.
A minimized Front Panel is restored.
You can customize the workspace configuration for every label at which you log in.
Arrange windows, establish the font size, and perform other customizations.
Note - Users can save desktop configurations. Roles cannot save desktop configurations.
Note - The Style Manager requires the trusted path. Run the Style Manager from the Front Panel or from the Workspace menu, where the Style Manager has the trusted path.
Your desktop is restored in this configuration when you next log in at this label.
Your desktop is restored in this configuration when you next log in at this label.
Your desktop is restored in this configuration when you next log in at this label.