JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions User's Guide     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Introduction to Trusted Extensions

2.  Logging In to Trusted Extensions (Tasks)

3.  Working in Trusted Extensions (Tasks)

Visible Desktop Security in Trusted Extensions

Trusted Extensions Logout Process

Working on a Labeled System

How to Lock and Unlock Your Screen

How to Log Out of Trusted Extensions

How to Shut Down Your System

How to View Your Files in a Labeled Workspace

How to Access the Trusted Extensions Man Pages

How to Access Initialization Files at Every Label

How to Interactively Display a Window Label

How to Find the Mouse Pointer

How to Perform Some Common Desktop Tasks in Trusted Extensions

Performing Trusted Actions

How to Change Your Password in Trusted Extensions

How to Log In at a Different Label

How to Allocate a Device in Trusted Extensions

How to Deallocate a Device in Trusted Extensions

How to Assume a Role in Trusted Extensions

How to Change the Label of a Workspace

How to Add a Workspace at Your Minimum Label

How to Switch to a Workspace at a Different Label

How to Move a Window to a Different Workspace

How to Determine the Label of a File

How to Move Data Between Windows of Different Labels

How to Upgrade Data in a Multilevel Dataset

How to Downgrade Data in a Multilevel Dataset

4.  Elements of Trusted Extensions (Reference)

Glossary

Index

Working on a Labeled System


Caution

Caution - If the trusted stripe is missing from your workspace, contact the  security administrator. The problem with your system could be serious.

The trusted stripe must not appear during login, or when you lock your screen. If the trusted stripe shows, contact the administrator immediately.


How to Lock and Unlock Your Screen

If you leave your workstation briefly, lock the screen.

  1. Choose Lock Screen from the Main menu.

    Figure 3-1 Lock Screen Selection

    image:Graphic shows the main menu with the Lock Screen item selected.

    The screen turns black. At this point, only you can log in again.


    Note - The trusted stripe must not appear when the screen is locked. If the stripe does appear, notify the security administrator immediately.


  2. To unlock your screen, do the following:
    1. Move your mouse until the Screensaver dialog box is visible.
      image:Graphic shows the Oracle Solaris Screensaver dialog box with a password typed in the password field.

      If the Screensaver dialog box does not appear, press the Return key.

    2. Type your password.

      This action returns you to your session in its previous state.

How to Log Out of Trusted Extensions

At most sites, the screen automatically locks after a specified period of idleness. If you expect to leave the workstation for awhile, or if you expect someone else to use your workstation, log out.

  1. To log out of Trusted Extensions, choose Log Out your-name from the Main menu.
    image:Graphic shows the logout dialog box.
  2. Confirm that you want to log out, or click Cancel.

How to Shut Down Your System

Logging out is the normal way to end a Trusted Extensions session. Use the following procedure if you need to turn off your workstation.


Note - If you are not on the console, you cannot shut down the system. For example, VNC clients cannot shut down the system.


Before You Begin

You must be assigned the Maintenance and Repair rights profile.

How to View Your Files in a Labeled Workspace

To view your files, you use the same applications that you would use on your desktop on an Oracle Solaris system. If you are working at multiple labels, only the files that are at the label of the workspace are visible.

How to Access the Trusted Extensions Man Pages

How to Access Initialization Files at Every Label

Linking a file or copying a file to another label is useful when you want to make a file with a lower label visible at higher labels. The linked file is only writable at the lower label. The copied file is unique at each label and can be modified at each label. For more information, see .copy_files and .link_files Files in Trusted Extensions Configuration and Administration.

Before You Begin

You must be logged in to a multilevel session. Your site's security policy must permit linking.

Work with your administrator when modifying these files.

  1. Decide which initialization files you want to link to other labels.
  2. Create or modify the ~/.link_files file.

    Type your entries one file per line. You can specify paths to subdirectories in your home directory, but you cannot use a leading slash. All paths must be within your home directory.

  3. Decide which initialization files you want to copy to other labels.

    Copying an initialization file is useful when you have an application that always writes to a file with a specific name, and you need to separate the data at different labels.

  4. Create or modify the ~/.copy_files file.

    Type your entries one file per line. You can specify paths to subdirectories in your home directory, but you cannot use a leading slash. All paths must be within your home directory.

Example 3-1 Creating a .copy_files File

In this example, the user wants to customize several initialization files per label. In her organization, a company web server is available at the Restricted level. So, she sets different initial settings in the .mozilla file at the Restricted level. Similarly, she has special templates and aliases at the Restricted level. So, she modifies the .aliases and .soffice initialization files at the Restricted level. She can easily modify these files after creating the .copy_files file at her lowest label.

% vi .copy_files
# Copy these files to my home directory in every zone
.aliases
.mozilla
.soffice

Example 3-2 Creating a .link_files File

In this example, the user wants her mail defaults and C shell defaults to be identical at all labels.

% vi .link_files
# Link these files to my home directory in every zone
.cshrc
.mailrc

Troubleshooting

These files do not have safeguards for dealing with anomalies. Duplicate entries in both files or file entries that already exist at other labels can cause errors.

How to Interactively Display a Window Label

This operation can be useful to identify the label of a partially hidden window.

  1. Choose Query Window Label from the Trusted Path menu.
    image:Graphic shows the Trusted Path menu with the cursor on the Query Window menu item.
  2. Move the pointer around the screen.

    The label for the region under the pointer is displayed in a small rectangular box at the center of the screen.


    Figure 3-2 Query Window Label Operation

    image:Screen shows the cursor in a window, and a Window Label indicator that shows the label of the window under the cursor.
  3. Click the mouse button to end the operation.

How to Find the Mouse Pointer

An untrusted application can gain control of the keyboard or mouse pointer. By finding the pointer, you can regain control of the desktop focus.

  1. To regain control of a Sun keyboard, press Meta-Stop.

    Press the keys simultaneously to regain control of the current desktop focus. On the Sun keyboard, the diamond key on either side of the spacebar is the Meta key.

    If the grab of the keyboard or mouse pointer is not trusted, the pointer moves to the trusted stripe. A trusted pointer does not move to the trusted stripe.

  2. If you are not using a Sun keyboard, press Alt-Break.

Example 3-3 Forcing the Mouse Pointer to the Trusted Stripe

In this example, a user is not running any trusted processes but cannot see the mouse pointer. To bring the pointer to the center of the trusted stripe, the user presses the Meta-Stop keys simultaneously.

Example 3-4 Finding the Real Trusted Stripe

On a multiheaded Trusted Extensions system whose monitors are configured to display a separate desktop on each monitor, a user sees one trusted stripe per monitor. Therefore, a program other than Trusted Extensions is generating a trusted stripe. Only one trusted stripe displays when a multiheaded system is configured to display a separate desktop per monitor.

The user halts work and immediately contacts the security administrator. Then, the user finds the real trusted stripe by placing the mouse pointer in an untrusted location, such as over the workspace background. When the user presses the Alt-Break keys simultaneously, the pointer moves to the trusted stripe that is generated by Trusted Extensions.

How to Perform Some Common Desktop Tasks in Trusted Extensions

Some common tasks are affected by labels and security. In particular, the following tasks are affected by Trusted Extensions:

  1. Empty the trash.

    Click mouse button 3 over the Trash Can icon on the desktop. Choose Empty Trash, then confirm.


    Note - The trash can contains files only at the label of the workspace. Delete sensitive information as soon as the information is in the trash can.


  2. Find calendar events at every label.

    Calendars show only the events at the label of the workspace that opened the calendar.

    • In a multilevel session, open your calendar from each workspace that has a different label.
    • In a single-level session, log out. Then, log in at a different label to view the calendar events at that label.
  3. Save a customized desktop at every label.

    You can customize the workspace configuration for every label at which you log in.

    1. Configure the desktop.

      Note - Users can save desktop configurations. Roles cannot save desktop configurations.


      1. From the Main menu, click System > Preferences > Appearance.
      2. Arrange windows, establish the font size, and perform other customizations.
    2. To save the current desktop, click the Main menu.
      1. Click System > Preferences > Startup Applications.
      2. Click the Options tab.
      3. Click Remember Currently Running Applications, then close the dialog box.

      Your desktop is restored in this configuration when you next log in at this label.