On a Trusted Solaris system, any user has a set of profiles assigned, which list the operations they can perform as well as the privileges of the operations. For example, in order for a user to run a command (with certain privileges), that command must be present in one of the user's profiles. Therefore, to install and run SunScreen on a Trusted Solaris system, a SunScreen profile and a SunScreen Admin profile should be created. The ASCII format of the profile can be found in:
/cdrom/cdrom0/TS/tsolprof.sunscreen for installing on a Screen.
/cdrom/cdrom0/TS/tsolprof.sunscreenadm for installing on an Administration Station.
These files should be appended to the Trusted Solaris system profile (/etc/security/tsol/tsolprof) by the System administrator before installing SunScreen. Please refer to "To Edit the System Profile."
In Trusted Solaris, every process has privileges associated with it (called effective privileges). These effective privileges fall into the following categories:
Some privileges
All privileges
No privileges
A Trusted Solaris file also has a set of privileges called the allowed privileges. When a Trusted Solaris user executes a file (to create a process), the resulting process's effective privileges are the intersection of the file's allowed privileges and the user's privileges defined in the user's profile.
Therefore, all SunScreen executable files should have their allowed privileges set to all. This action is performed by two shell scripts:
for installing on the Screen, the script is named /opt/SUNWicg/SunScreen/lib/ss_ts_pset
for installing on an Administration Station, the script is named /opt/SUNWicg/SunScreen/lib/ss_ts_psetadm
If you use the SunScreen Installation program, these scripts are automatically called (see the following installation instructions).