Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Enabling Access to Labeled Files

As the administrator, you are responsible for assigning the appropriate clearance to users who need access to labeled files. Only users whose clearance is at least equal to the label on the files can view or modify labeled files. All users receive a clearance through the label encodings file. To give them access to sensitive files, you can directly authorize users to have a higher clearance, or you can assign to authorized users a rights profile that contains commands that run at a high clearance. You can also assign to users a role whose rights profiles run commands at a high clearance.

How to Assign Clearances to Users

This procedure shows how to assign a high clearance to users directly, through a rights profile, or through an assigned role.

Before You Begin

You must be assigned the User Management rights profile or be in the root role. For more information, see Using Your Assigned Administrative Rights.

  1. List the labels that are available on the system.
    $ labelcfg list
    label-list-from-highest-to-lowest-label
  2. Assign specific users or roles the ability to handle labeled files.
    # usermod -K clearance=label username
    # rolemod -K clearance=label rolename

    You can also assign a clearance to users indirectly through a rights profile.

  3. Create a rights profile whose commands run at a higher clearance to handle labeled files.

    The commands must have sufficient privilege in addition to the higher clearance. Sufficient privilege might include a UID or EUID whose clearance is sufficient for the command to run, or a privilege that the command requires.

    The Labeled Audit Review rights profile in the following examples is from How to Create a Labeled Audit Trail in Securing Files and Verifying File Integrity in Oracle Solaris 11.4. You can assign this rights profile directly to the user or to a role that the user assumes.

    • To add a rights profile to a user, use the profiles+= or auth_profiles+= keyword.
      # usermod -K profiles+="Labeled Audit Review" username
      # usermod -K auth_profiles+="Labeled Audit Review" username

      Note -  If the user is also assigned the Audit Review rights profile, the Labeled Audit Review profile must precede it.
    • To add the rights profile to a role and assign the role to a user:
      1. Use a profiles keyword.
        # rolemod -K profiles+="Labeled Audit Review" rolename
        # rolemod -K auth_profiles+="Labeled Audit Review" rolename
      2. Assign the role to the user.
        # usermod -R +rolename username

How to Verify User Access to Labeled Files

After assigning clearances to users, you verify that the configuration enables users with clearances to access files at their clearance, and that users without clearances cannot view or back up the files, or view the audit trail of those files.

  1. Become a user with an assigned clearance.
    # su - cleared-user
    cleared-user$ plabel
    user's explicit clearance
  2. Change to the labeled dataset directory.
    $ cd labeled-dataset

    To test a labeled dataset in a zone, see How to Isolate a Labeled File System in a Zone in Securing Files and Verifying File Integrity in Oracle Solaris 11.4.

  3. Perform tasks that the user would perform.

    For example:

    • List the files in the directory.

    • Add files to the directory and view the label of the files.

    • Remove files from the directory.

    • Modify a file in the directory.

    • Change to a directory at a different label that is within the user's clearance.

    • Send files to a similarly labeled file system.

    • Change to a different user and try to send the original user's files to an unlabeled file system.

      This test should fail.


    Note -  If you are assigned a rights profile that contains commands that run at a higher clearance, you must run those commands in a profile shell, as in pfexec praudit.
  4. In the root role, examine the audit trail by running the auditfiles.ksh script from the /usr/demo/tsol directory and then reading the output in your browser.

    If the audit trail is in a labeled file system, you must have clearance to read ADMIN_HIGH files. See How to Create a Labeled Audit Trail in Securing Files and Verifying File Integrity in Oracle Solaris 11.4. In the following example, a user who is assigned the Labeled Audit Review rights profile executes the command.

    $ pfexec /usr/demo/tsol/auditfiles.ksh audit-html-file