Settings in the policy.conf(4) and the label_encodings(4) files together define default Trusted Solaris security attributes for user accounts. The values set explicitly in a user template override these values. Some of the values set in these files also apply to role accounts. The User Template default values are described in detail in "Adding or Modifying a User Account".
The label_encodings file defines the Minimum Label, Clearance, and Default Label View that are applied to a user account if the attributes are not explicitly set for the account. The values shown in the following table are those in the Trusted Solaris version of the label_encodings file. Typically, a site replaces the Trusted Solaris version during system configuration with a site version.
Table 3-1 Security Defaults for Users in the label_encodings File
Trusted Solaris Attribute |
Keyword in LOCAL DEFINITIONS Section |
Default |
---|---|---|
Minimum Label |
Default User Sensitivity Label= u; |
In ACCREDITATION RANGE Section: minimum sensitivity label=u; |
Clearance |
Default User Clearance= c; |
In ACCREDITATION RANGE Section: minimum clearance= c nationality: cntry1/cntry2; |
Default Label View |
Default Label View is External; | External |
At some sites the names of administrative labels are considered to be classified information. The value EXTERNAL hides that classified information.
The user account's clearance and minimum label must be dominated by the highest label and must dominate the minimum clearance that are defined in the user ACCREDITATION RANGE section in the label_encodings(4) file. See Trusted Solaris Label Administration for more about labels.
The following algorithm determines which value the system uses:
If the administrator explicitly set a value in the Solaris Management Console when creating the user, use that value.
Otherwise, use the values for the "Default User ..." and "Default Label View" keywords in the label_encodings file.
If there is no specific value for the "Default User ..." and "Default Label View" keywords, use the Accreditation Range values.
The following table shows the default settings in the policy.conf file.
Table 3-2 Security Defaults for Users and Roles in the policy.conf
Attribute |
Keyword with Default Setting |
System Default |
---|---|---|
authorizations (from auth_attr(4) database) |
#AUTHS_GRANTED= |
none |
idle action: logout | lock |
IDLECMD=lock (applies to users only) |
lock |
idle time: 1 - 120 minutes or Forever |
IDLETIME=30 (applies to users only) |
30 minutes |
show or hide labels: hidesl | showsl |
LABELVIEW=showsl |
showsl |
lock after bad password limit is exceeded: yes | no |
LOCK_AFTER_RETRIES=yes |
yes |
method of password generation: manual | auto |
PASSWORD=manual |
manual |
profiles (from prof_attr(4) database) |
PROFS_GRANTED= |
Basic Solaris User |
So, users by default are authorized to view SMC data and to edit their own cron jobs; their system locks after 30 minutes of no activity; they can see the label that they are working in; they will not be able to log in if they fail to provide the correct password for three consecutive tries; they must type in a new password (possibilities will not be generated for them); and they can execute all commands and actions on the system without privilege.
The authorizations (AUTHS_GRANTED) and rights profiles (PROFS_GRANTED) that are defined in this file are in addition to any authorizations and profiles assigned to individual accounts. For the other fields, the following algorithm determines which value the system uses:
If the administrator explicitly set a value in the Solaris Management Console when creating the user, use that value.
Otherwise, use the value in the policy.conf file.