SunScreen 3.1 Installation Guide

Chapter 6 Installing on Trusted Solaris

This chapter describes how you install SunScreen 3.1 on a machine running Trusted Solaris 7. Installing SunScreen on a machine running Trusted Solaris is different from installing on a regular machine because of the security features built into this operating system.

Topics covered include:

Overview

On a Trusted Solaris system, any user has a set of profiles assigned, which list the operations they can perform as well as the privileges of the operations. For example, in order for a user to run a command (with certain privileges), that command must be present in one of the user's profiles. Therefore, to install and run SunScreen on a Trusted Solaris system, a SunScreen profile and a SunScreen Admin profile should be created. The ASCII format of the profile can be found in:

These files should be appended to the Trusted Solaris system profile (/etc/security/tsol/tsolprof) by the System administrator before installing SunScreen. Please refer to "To Edit the System Profile."

In Trusted Solaris, every process has privileges associated with it (called effective privileges). These effective privileges fall into the following categories:

A Trusted Solaris file also has a set of privileges called the allowed privileges. When a Trusted Solaris user executes a file (to create a process), the resulting process's effective privileges are the intersection of the file's allowed privileges and the user's privileges defined in the user's profile.

Therefore, all SunScreen executable files should have their allowed privileges set to all. This action is performed by two shell scripts:

If you use the SunScreen Installation program, these scripts are automatically called (see the following installation instructions).

Before You Install

SunScreen 3.1 software should be installed by the root role. However, before you can install the software, you have to assign the corresponding SunScreen profiles to the root role.

To Edit the System Profile

The first task is to append the SunScreen or SunScreen Admin profile to Trusted Solaris system profile.

  1. Login as sys or as a user who at least has file_owner, and file_dac_write, privileges.

  2. From the front panel, choose Allocate Device then select device cdrom0 and mount it.


    Note -

    Before you proceed, you should make a backup copy of the original system profile.


  3. For installing the Screen software, run the following commands:

    cat /cdrom/cdrom0/TS/tsolprof.sunscreen >>/etc/security/tsolprof

    cat /cdrom/cdrom0/TS/vfstab_adjunct.sunscreen >>/etc/security/tsol/vfstab_adjunct;

  4. For installing Administration software, run the following commands:

    cat /cdrom/cdrom0/tsolprof.sunscreenadm >>/etc/security/tsol/tsolprof;

    cat /cdrom/cdrom0/vfstab_adjunct.sunscreen >>/etc/security/tsol/vfstab_adjunct

To Give the Install Program the Proper Role

Before you install the software, you must make the secadmin role assumable by the user who will be performing the installation. You need the secadmin role to assign the profile to root role. In Trusted Solaris, root is not supposed to assign a profile to itself. In the following procedure, the user named install will be used as an example.

  1. Login as install and assume the root role.

  2. In the root workspace, open Applications -> Solstics_Apps User Manager.

  3. Open-User Manager, double click on user install then choose Roles ... Next, make root and secadmin be the assumable roles.

  4. Log out.

To Assign the Profile to the Root Role

The last task is to assign a SunScreen profile or a SunScreen Admin profile to root role.

  1. Login as install or some other user.

  2. Assume secadmin role.

  3. In secadmin workspace, open Applications -> Solstics Apps -> User Manager.

  4. Open User Manager, double click on user root, choose Profiles.

  5. Assign the profile SunScreen in the available list to the selected list .


    Note -

    If you are installing an Administration Station, assign the profile 'SunScreen Admin.'


  6. Save the changes.

Installing SunScreen Software

SunScreen and SunScreen administration software should be installed by root role.

To Install the Screen

  1. Assume the root role.

  2. From the front panel, choose Allocate Device, select device cdrom0 and mount it.

  3. The rest of the installation steps are the same as a regular installation. Refer to the appropriate chapter in this book for further instructions on your particular installation.

To Install the Administration Station

  1. Assume the root role.

  2. From the front panel, choose Allocate Device, select device cdrom0 and mount it.

  3. The rest of the installation steps are the same as a regular installation. Refer to the appropriate chapter in this book for further instruction on your particular installation.


    Note -

    If you choose to install on an Administration Station manually, immediately after adding the required packages, you should run the /opt/SUNWicg/SUNScreen/lib/ss_ts_psetadm command.