Controlling Access to Devices

The system administrator controls access to peripheral devices. Users can use a device only when the System Administrator role makes the device allocatable. Devices that the System Administrator makes nonallocatable cannot be used by anyone. Allocatable devices can be allocated only by authorized users. The Security Administrator role restricts the labels at which a device can be accessed.

Following are some highlights of device management in the Trusted Solaris environment:

• An unauthorized user in the default Trusted Solaris distributed system cannot allocate devices such as tape drives, CD-ROM drives, or floppy disk drives.

• A normal user with the Allocate Device authorization can import or export information at the label at which the user allocates the device.

• Users invoke the Device Allocation Manager to allocate devices when logged in directly. When logged in remotely, from scripts and from user-developed applications, the allocate(1) command is used.

• Only one authorized user at a time can access an allocatable device. After allocation, deallocating the device clears the device of data and frees it for allocation by another user.

• The label range of each device handled by the device allocation mechanism can be restricted by the Security Administrator. Normal users are limited to accessing devices whose label range includes the labels at which they are allowed to work. The default label range is ADMIN_LOW to ADMIN_HIGH.

• Nonallocatable devices are devices such as framebuffers and printers whose data is automatically cleared between users.

• Label ranges can be restricted for both allocatable and nonallocatable devices.

Setting a Label Range

To restrict direct login access through the console, the Security Administrator role can set a restricted label range on the framebuffer.

For example, a restricted label range might be specified to limit access to a publicly accessible computer. The label range enables users to access the computer only at a label within the framebuffer's label range.

When a host has a local printer, a restricted label range on the printer limits the jobs that it can print.