Installation Guide¶

The purpose of this document is to guide the system administrator in successfully installing and updating the TED software on the Solaris 11.4 Operating System. Configuring Trusted Extensions is generally outside the scope of this installation guide.

1 Prerequisites¶

• The Solaris 11.4 support package repository is accessible by means of an Internet connection to Oracle or locally via a local IPS repository
• An x86 system running Solaris 11.4 (any SRU) is directly connected to the Internet

Systems running Solaris 11.3 should be updated to 11.4 prior to configuring the TED software. Oracle does not support updating labeled zones from Solaris 11.3 to Solaris 11.4 due to packaging restrictions. So any labeled zones must be uninstalled prior to updating to updating to Solaris 11.4

• Valid certificate and key files have been obtained from Dynamic Systems

2 Using a Secure Shell Connection¶

We recommend that the initial installation and configuration should be done remotely using ssh or putty. This will make it easier to copy and paste the various command lines from this document, and to report problems while reconfiguring the desktop. After connecting to the Solaris 11.4 system, assume the root role.

    su -

3 Configuring the Publisher Keys and Certificates¶

1. Set up the trusted-desktop publisher as the primary source

   pkg set-publisher -c <path-to-certfile> -k <path-to-keyfile> -P -g \
   https://pkg.dynamicsystemsinc.com/default trusted-desktop
   

2. Allow previously installed Solaris packages to be updated by the trusted-desktop publisher

   pkg set-publisher --non-sticky solaris
   

4 Configuring a Local Repository for the TED Software¶

The trusted-desktop and solaris publishers each require unique credentials. The following Oracle bugs whcih prevented installing packages with this publisher configuration have been fixed in SRU 27:

If your Solaris system is older than SRU 27 then the following workaround is required. Otherwise it is optional.

4.1 Create a Local Repository¶

1. Intialize a local trusted-desktop repository

   pkgrepo create /var/share/pkg/repositories/trusted-desktop
   

2. Download the TED repository contents

   pkgrecv -s https://pkg.dynamicsystemsinc.com/default -d /var/share/pkg/repositories/trusted-desktop -p trusted-desktop --clone
   

4.2 (Optional) Copy the TED repository to an air-gapped system¶

1. Create repository archive

   cd /var/share/pkg/repositories
   find . -depth -print | cpio -oVO trusted-desktop.cpio
   

2. After copying the cpio file to the air-gapped system, extract the archive

   cd /var/share/pkg/repositories
   cpio -iVd < trusted-desktop.cpio
   

4.3 Update the trusted-desktop Publisher¶

Set the local origin for the trusted-desktop publisher

    pkg set-publisher -P -G '*' —g /var/share/pkg/repositories/trusted-desktop trusted-desktop

5 Installing the TED Software on Solaris 11.4¶

1. Install the Trusted Extensions Desktop packages. (Takes approximately 15 min and installs >400 packages)

   pkg install trusted/trusted-extensions
   

   Reference: Add Trusted Extensions Packages to an Oracle Solaris System

2. If any Solaris desktop software was previously installed then several pre-existing Solaris packages must to be updated to get the latest TED versions

   pkg update xorg xvnc xscreensaver libwnck3 libxklavier
   

3. Verify the TED version

   $ cat /etc/ted-release
   Dynamic Systems Inc. Trusted Extensions Desktop (TED) 1.0 February 2021
   

The TED software packages are synchronized with Oracle Solaris SRU versions and will be automatically updated when you update to newer SRUs.

6 (Optional) Configuring the Lightdm Display Manager¶

The lightdm display manager is recommended because it provides better performance and security than gdm.

1. Disable gdm and enable lightdm (Perform this step with root privileges)

   svcadm disable gdm
   

2. Hit return, login and su to root

   svcadm restart dbus
   svcadm restart hal
   svcadm enable lightdm
   

The login screen should appear. If the background is dark instead of showing the normal red polygons, that indicates that the mime database was not successfully updated. To fix this, do the following as root:

    update-mime-database /usr/share/mime

Login to the desktop with the admin account you created. Verify that the MATE desktop is working correctly. Right-click on the desktop and select Open terminal. Verify that the Terminal window appears. At this point you may assume the root role in the Terminal or continue to use the remote connection.

7 Enabling Solaris Trusted Extensions¶

The procedures for enabling and managing Trusted Extensions and using the TED software are well documented in the Oracle Solaris web pages, and will not be repeated here. However, there are a few workarounds that are discussed in this section.

The following three files can be updated to allow remote access to the global zone to facilitate debugging:

1. Verify in /etc/user_attr that the administrative user's clearance is ADMIN_HIGH and min_label is ADMIN_LOW

   ladmin::::lock_after_retries=no;roles=root;clearance=ADMIN_HIGH;min_label=ADMIN_LOW;auth_profiles=System Administrator
   

2. Edit /etc/pam.d/other to allow unlabeled hosts to login remotely with ssh

   account required pam_tsol_account.so.1 allow_unlabeled
   

3. Edit line 17 in /etc/security/tsol/tnrhdb, removing the comment from this line:

   0.0.0.0:admin_low
   

This allows unrestricted network connectivity to the global zone.

Finally:

labeladm enable -r
reboot

After logging in you are presented with the Trusted Extensions Message of the Day dialog. Verify the attributes and select OK.

Update the home directory path for the admin user created during installation.

vi /etc/passwd

Change /export/home/<user> to /home/<user>.

See the comments in the Additional Steps section for more information about using the automounter to create home directories in labeled zones.

8 Installing Labeled Zones¶

There is a bug in Oracle Solaris SRUs 24, 25, and 26 that prevents the installation of labeled zones:

If you are running on any these SRUs, you may use the following workaround:

Edit line 294 in the file: /usr/lib/python3.7/vendor-packages/solaris/smf/altroot.py

by appending text=True as follows:

stderr=Popen.DEVNULL, text=True)

There is another bug in the same file that is scheduled to be fixed in SRU 30. The bug treats a successful zone installation as a failure:

The workaround is to comment out the following four lines starting at 307 :

raise RuntimeError(_("unable to kill process(es) %(pid) "
    "running in %(alt_root)s") %
    {"alt_root": self.alt_root,
    "pid": " ".join(pids)})

The easiest way to install labeled zones is to use txzonemgr. However, even if you prefer your own method, it is still necessary to run txzonemgr at least once because it performs some one-time patching that cannot be done via the pkg command.

1. Switch to an empty workspace and assume the root role
2. Start a Terminal and run txzonemgr

3. To install the two default zones select "Install Public and Internal zones"

4. Wait until public zone console login prompt appears. Login to verify that your home directory was successfully created. The desktop software requires that the user's home directory exists in each labeled zone

5. Dismiss the zone console window (click the red x)

6. Wait for the login prompt in the Internal zone console. Close the zone console window (click the red x)

9 Additional Steps¶

9.1 Labeled Zone Home Directories¶

When the global zone and labeled zones are sharing a single name service, the passwd and shadow files are loopback mounted into each labeled zone when it is booted. In Solaris 11.3 TX the automounter automatically creates home directories in labeled zones by interpreting files like: /etc/auto_home_public

This functionality was previously broken in Solaris 11.4 and has been fixed in SRU 30:

If you are running an older release, the workaround is to use an executable automount script /etc/auto_homedir. This file is automatically listed in /etc/auto_master when labeled zones are created by txzonemgr.

The use of the automounter to create home directories requires that the user's home directory specification in /etc/passwd starts with /home instead of /export/home. This change must be edited manually in the global zone for existing user accounts. For newly created accounts the home directory pathname specified with useradd(8) should be preceded by localhost:, for example:

localhost:/export/home/gfaden

9.2 Automatic Zone Booting¶

Users with the authorization solaris.zone.manage may reboot labeled zones from within a zone. When an authorized user selects a labeled workspace for which the corresponding labeled zone is not currently running, the zone will be booted automatically. The user will receive visual feedback while the zone is being initialized.

9.3 Customizing Workspace Properties¶

The user may customize labeled workspaces by selecting a unique background image for each uniquely labeled workspace. Select Change Desktop Background from desktop menu (pick something else you like).

Workspace names can also be customized. Select Properties in the workspace switcher to edit the workspace names or create additional workspaces.

9.4 Remote TED Sessions¶

For remote VNC sessions enable the service:

svcadm enable xvnc-inetd

9.4.1 Gdm¶

For the gdm display manager edit /etc/gdm/custom.conf.

[xdmcp]
Enable=true

Then restart the gdm service

svcadm restart gdm

9.4.2 Lightdm¶

For the lightdm display manager edit the file /etc/lightdm/lightdm.conf.

[XDMCPServer]
enabled=true

If there is no physical or virtual monitor connected to the hardware, modify this line, as well:

[LightDM]
start-default-seat=false

The file /etc/issue may be used to provide a legal notice prior to logging in. The position of the login window and the legal notice may be customized by editing the file /etc/lightdm/lightdm-gtk-greeter.conf. For example:

[greeter]
position=50% 70%
issue-position=50% 10%
issue-text-color=white
issue-text-size=8

Then restart the lightdm service

svcadm restart lightdm

9.4.3 VirtualBox¶

When running in VirtualBox , sometimes the keyboard arrows don't work properly. To fix this select the following from the panel menu:

System → Preferences → Hardware → Keyboards-Layouts

Select the keyboard that matches your host hardware.