Oracle Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Modify policy.conf Defaults

Changing the policy.conf defaults in Trusted Extensions is similar to changing any security-relevant system file in the Solaris OS. In Trusted Extensions, you use a trusted editor to modify system files.

Before You Begin

You must be in the Security Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Review the default settings in the /etc/security/policy.conf file.

    For Trusted Extensions keywords, see Table 6–1.

  2. Modify the settings.

    Use the trusted editor to edit the system file. For details, see How to Edit Administrative Files in Trusted Extensions.

Example 7–1 Changing the System's Idle Settings

In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the Security Administrator role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:


The administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the Security Administrator role adds the IDLETIME keyword=value pair to the policy.conf file as follows:


The system now logs out the user after the system is idle for 10 minutes.

Example 7–2 Modifying Every User's Basic Privilege Set

In this example, the security administrator of a Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the administrator removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is modified as follows:


Example 7–3 Assigning Printing-Related Authorizations to All Users of a System

In this example, the security administrator enables a public kiosk computer to print without labels by typing the following in the computer's /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.

AUTHS_GRANTED= solaris.print.unlabeled

Then, the administrator decides to save paper by removing banner and trailer pages. She first ensures that the Always Print Banners checkbox in the Print Manager is not selected. She then modifies the policy.conf entry to read the following and reboots. Now, all print jobs are unlabeled, and have no banner or trailer pages.

AUTHS_GRANTED= solaris.print.unlabeled,solaris.print.nobanner