Trusted Extensions Configuration and Administration

Exit Print View

Updated: July 2014

Quick Reference to Trusted Extensions Administration

Trusted Extensions interfaces extend the Oracle Solaris OS. This appendix provides a quick reference of the differences. For a detailed list of interfaces, including library routines and system calls, see Appendix D, List of Trusted Extensions Man Pages.

Administrative Interfaces in Trusted Extensions

Trusted Extensions provides interfaces for its software. The labeladm command enables and disables the labeld service, and sets the label_encodings file for a Trusted Extensions system. The following interfaces are available only when Trusted Extensions software is running:

txzonemgr script

Provides a menu-based wizard for creating, installing, initializing, and booting labeled zones. The title of the menu is Labeled Zone Manager. This script also provides menu items for networking options, naming services options, and for making the global zone a client of an existing LDAP server. In the Oracle Solaris 11 release, the txzonemgr -c command bypasses the menus to create the first two labeled zones.

Device Manager

In Trusted Extensions, this GUI is used to administer devices. The Device Administration dialog box is used by administrators to configure devices.

The Device Allocation Manager is used by roles and regular users to allocate devices. The GUI is available from the Trusted Path menu.

Label Builder

This application is invoked when the user can choose a label or a clearance. This application also appears when a role assigns labels or label ranges to devices, zones, users, or roles.

The tgnome-selectlabel utility allows you to customize a label builder. See tgnome-selectlabel Utility in Trusted Extensions Developer’s Guide ,

Selection Manager

This application is invoked when an authorized user or authorized role attempts to upgrade or downgrade information.

Trusted Path menu

This menu handles interactions with the trusted computing base (TCB). For example, this menu has a Change (Login/Workspace) Password menu item. In Trusted GNOME, you access the Trusted Path menu by clicking the trusted symbol at the left of the trusted stripe.

Administrative commands

Trusted Extensions provides commands to obtain labels and perform other tasks. For a list of the commands, see Command Line Tools in Trusted Extensions.

Oracle Solaris Interfaces Extended by Trusted Extensions

Trusted Extensions adds to existing Oracle Solaris configuration files, commands, and GUIs.

Administrative commands

Trusted Extensions adds options to selected Oracle Solaris commands. For a list of all Trusted Extensions interfaces, see Appendix D, List of Trusted Extensions Man Pages.

Configuration files

Trusted Extensions adds two privileges, net_mac_aware and net_mlp. For the use of net_mac_aware, see NFS Server and Client Configuration in Trusted Extensions.

Trusted Extensions adds authorizations to the auth_attr database.

Trusted Extensions adds executables to the exec_attr database.

Trusted Extensions modifies existing rights profiles in the prof_attr database. It also adds profiles to the database.

Trusted Extensions adds fields to the policy.conf database. For the fields, see policy.conf File Defaults in Trusted Extensions.

Trusted Extensions adds audit tokens, audit events, audit classes, and audit policy options. For a list, see Trusted Extensions Audit Reference.

Shared directories from zones

Trusted Extensions enables you to share directories from labeled zones. The directories are shared at the label of the zone by creating an /etc/dfs/dfstab file from the global zone.

Tighter Security Defaults in Trusted Extensions

Trusted Extensions establishes tighter security defaults than the Oracle Solaris OS:


By default, device allocation is enabled.

By default, device allocation requires authorization. Therefore, by default, regular users cannot use removable media.

An administrator can remove the authorization requirement. However, device allocation is typically required at sites that install Trusted Extensions.


Regular users can print only to printers that include the user's label in the printer's label range.

By default, printed output has trailer and banner pages. These pages, and the body pages, include the label of the print job.


Roles are available in the Oracle Solaris OS, but their use is optional. In Trusted Extensions, roles are required for proper administration.

Limited Options in Trusted Extensions

Trusted Extensions narrows the range of Oracle Solaris configuration options:

Naming service

The LDAP naming service is supported. All zones must be administered from one naming service.


The global zone is an administrative zone. Only the root user or a role can enter the global zone. Therefore, administrative interfaces that are available to regular Oracle Solaris users are not available to regular Trusted Extensions users.

Non-global zones are labeled zones. Users work in labeled zones.