Differences Between Solaris Express Developer Edition 5/07 Software and Solaris Trusted Extensions
Trusted Extensions builds on Solaris software, and can restrict the use of some
Solaris utilities. The differences affect users, administrators, and developers. Configuration options that are
optional on a Solaris system can be required by Trusted Extensions. For example,
roles are required to administer the system, and the Solaris Management Console is
required to administer users, roles, profiles, and the network. Zones must be installed,
and each zone must be assigned a unique label.
Installation and Configuration of Trusted Extensions
Solaris Trusted Extensions installs as a set of packages on a newly
installed Solaris Express Developer Edition 5/07 system. The following installation practices should be
Desktops in Trusted Extensions
Solaris Trusted Extensions supports a trusted version of the Sun Java Desktop
System, (Trusted JDS) as well as CDE. The Trusted CDE desktop continues
to support the visible Trusted Solaris features, such as labels, trusted stripe, the
Device Allocation Manager, the Admin Editor, and so on.
New administrative actions in CDE 1.7 are modified for security on the Trusted
Extensions desktop. Actions that are unique to Trusted Extensions are in the Trusted_Extensions
The Style Manager should not be run from the Application Manager when Trusted Extensions is configured, because the Style Manager requires the trusted path. Run the Style Manager from the Front Panel and the Workspace menu, where the Style Manager has the trusted path.
The contents of the Trusted_Extensions folder in the Application Manager has changed. Actions to administer zones have been added. NIS+ actions have been removed.
As in the Trusted Solaris 8 2/04 release, the CDE Workspace Menu can be customized to add actions. For details, see How to Customize the CDE Workspace Menu in Solaris Trusted Extensions User’s Guide.
Security Attributes on CDE Actions in Trusted Extensions Software
Trusted Extensions adds CDE actions to the objects that can be assigned security
attributes in the exec_attr database. CDE actions can be constrained by label by
customizing the Workspace Menu to include only actions that are relevant to a
specific label. To customize the menu, see How to Customize the CDE Workspace Menu in Solaris Trusted Extensions User’s Guide
Administration Tools in Trusted Extensions
Secure administration requires the use of GUIs that Trusted Extensions provides. Trusted
Extensions provides actions in the Trusted_Extensions folder in CDE, a Device Allocation Manager, and
the Solaris Management Console. Trusted Extensions adds tools and options to existing tools
in the Solaris Management Console GUI. This GUI enables administrators to manage users,
networks, zones, and other databases. After launching the Solaris Management Console, the administrator
chooses a Trusted Extensions “toolbox”. The toolbox is a collection of programs. The
administrator then uses the programs that are permitted to the role.
Trusted Device Management
The Solaris OS provides three methods of managing devices: the Volume Manager (vold),
logindevperm and device allocation. As in the Trusted Solaris 8 releases, Trusted Extensions
supports only device allocation. The Device Allocation Manager GUI is used to create
an allocatable device. All devices that are allocated to a zone get deallocated
when that zone shuts down, halts, or reboots. Device allocation can be done
remotely or in shell scripts only from the global zone.
The allocate, deallocate, and list_devices commands do not work in labeled zones
for roles or ordinary users. Users and roles must use the Device Allocation
Manager GUI to allocate, deallocate and list devices. Trusted Extensions adds the solaris.device.config
authorization to configure devices.
To manage printers, use the Printer Administrator action in the System_Admin folder
in the global zone. To limit the label range of a printer, use
the Device Allocation Manager in the global zone.
Trusted Extensions Software and Removable Media
Use the Solaris Management Console Devices and Hardware tool to manage serial
lines and serial ports in the global zone. To limit the label range
of removable media, use the Device Allocation Manager in the global zone.
Additional Rights and Authorizations in Trusted Extensions
The Solaris Trusted Extensions release adds privileged commands to the Device Security profile,
and privileged actions to many profiles.
The Solaris Trusted Extensions release adds the following authorizations:
The Solaris Trusted Extensions release adds the following rights profiles:
Object Label Management
The Solaris Trusted Extensions release adds label authorizations and service management authorizations to
the following rights profiles:
Maintenance and Repair
Together, the Information Security and the User Security rights profiles define the Security