Managing Device Access Policies
In the Trusted Solaris operating environment, as in other UNIX systems, devices are represented by files called device special files. The discretionary access rules for devices are based on the same UNIX permission bits that apply to other types of files. The mandatory access rules that apply to devices are slightly different from those that apply to files or directories. The following table shows the default mandatory access control policy. These policies automatically apply to any new devices added to the system.
Table 12-1 Default Device Access Policy|
Policy Type |
Description |
Default Policy |
|---|---|---|
|
data_mac_policy |
Label required to access the device |
For reads and writes, the process' label must equal the device's label. |
|
attr_mac_policy |
Label required to access the device's attributes (by acl(2), chmod(2), chown(2), and stat(2)) |
For read access to the device's attributes, the process' label must dominate the device's label. For write access to the device's attributes, the process' label must equal the device's label. |
|
open_priv |
Privilege required to open the device |
No privileges are required. |
|
str_type |
Only for STREAMS devices, specifies how the kernel stream head should control STREAMS messages |
Device type stream. Unlabeled STREAMS message are allowed. |
The Security Administrator role can change default policies and define new policies on each host by editing the /etc/security/tsol/device_policy file. Changes go into effect after a reboot. See the device_policy(4) man page for the keywords and values to use, and see also "To Set or Modify Device Policy for a Device".
Initial Device Configuration Decisions
When configuring the Trusted Solaris environment on every system, the Security Administrator role sets device policy. After the system is up and running, the System Administrator role uses the Device Allocation Manager to add and configure devices, and to revoke an allocation, reclaim an allocated device from an allocate error state, or delete a device.
At system configuration, the Security Administrator needs to make the following decisions:
-
Decide whether the default label range settings on nonallocatable devices are consistent with the site's security policy.
-
Decide whether the default settings for the allocatable devices are consistent with the site's security policy.
-
Decide whether to make additional devices allocatable.
-
Decide which users, if any, should be allowed to allocate devices.
-
Decide whether to use the default Allocate Device authorization or to create and require other authorizations for device allocation.
Decide whether to require separate conditions for a device to be allocated locally from the trusted path and for a device to be allocated without the trusted path either remotely or from a script. See the example of adding new device allocation authorizations in "To Add an Authorization to the Environment".
- © 2010, Oracle Corporation and/or its affiliates