The Trusted Solaris environment provides more than 80 privileges that you can apply to applications to override security policy. For a complete list of privileges, see the priv_desc(4) man page. The privileges provided fall into the categories shown in the following table.
Table 1-4 Privilege Categories
Privilege Category |
Summary |
Example Privileges in the Category |
---|---|---|
For overriding file system restrictions on user and group IDs, access permissions, labeling, ownership, and file privilege sets |
file_dac_chown - lets a process change the owner user ID of a file. |
|
For overriding restrictions on message queues, semaphore sets, or shared memory regions |
ipc_dac_read - lets a process read a System V IPC message queue, semaphore set, or shared memory region whose permission bits or ACL do not allow process read permission |
|
For overriding restrictions on reserved port binding or binding to a multilevel port, sending broadcast messages, or specifying security attributes (such as labels, privileges on a message, or network endpoint defaults) |
net_broadcast - lets a process send a broadcast packet on a specified network |
|
For overriding restrictions on auditing, labeling, covert channel delays, ownership, clearance, user IDs, or group IDs |
proc_mac_read - lets a process read another process where the reading process label is dominated by the other process label |
|
For overriding restrictions on auditing, workstation booting, workstation configuration management, console output redirection, device management, file systems, creating hard links to directories, increasing message queue size, increasing the number of processes, workstation network configuration, third-party loadable modules, or label translation |
sys_boot - lets a process halt or reboot a Trusted Solaris workstation |
|
For overriding restrictions on colormaps, reading to and writing from windows, input devices, labeling, font paths, moving data between windows, X server resource management, or direct graphics access (DGA) X protocol extensions |
win_selection - allows a process to request inter-window data moves without the intervention of selection arbitrator |