Trusted Extensions Configuration and Administration¶

1 Missing Documentation in Solaris 11.4¶

The Solaris 11.4 version of the Trusted Extensions Configuration and Administration guide is missing some content that is relevant to the Trusted Desktop. Use the Solaris 11.3 version to review the missing content:

1.1 Trusted Extensions Administration Tools¶

See the Solaris 11.3 guide for information about the following tools:

1.2 Common Tasks in Trusted Extensions¶

See the Solaris 11.3 guide for information about the following:

Getting Started as a Trusted Extensions Administrator on a Desktop System

1.3 Devices in Trusted Extensions¶

See the Solaris 11.3 guide for information about the following:

This chapter describes the protections to peripheral devices on a Trusted Extensions system.

2 Configuring Trusted Extensions and LDAP¶

Configuring Trusted Extensions and LDAP for trusted extension procedures are provided in the Oracle Solaris 11.4 documentation.

Refer to Oracle documentation for Configuring Trusted Extensions
Refer to Oracle documentation for Configuring LDAP for Trusted Extensions

Both GNOME 3 and MATE menus conform to the Free Desktop Menu Specification. The command xdg-desktop-menu(1) can be used to manage desktop menu items.

The MATE Applications menu is maintained in the global zone file /etc/xdg/menus/mate-applications-menu and managed by the mate-panel application.

Each MATE submenu is defined in a *.directory file in /usr/share/mate/directories. Every *.directory file referenced in mate-applications-menu must exist in the global zone.

Each MATE application is defined in a *.desktop file in /usr/share/applications. Every *.desktop file referenced in mate-applications-menu must exist in the global zone. However, individual application menu items will only appear in the current workspace if the *.desktop file is also present in the corresponding labeled zone.

Applications may also be configured to always run in the Trusted Path (global zone) instead of the zone associated with the current workspace. The following configuration files may be used to set that policy:

/usr/share/mate/TrustedPathExecutables
/usr/share/mate/trusted/applications/*

The mozo application, which is invoked in the System → Preferences → Look and Feel → Main Menu item, provides a point-and-click interface for users to customize their Application menu. However, it can only be run by users whose clearance is ADMIN_HIGH.

Users in any zone may customize their top and bottom panels by dragging and dropping individual Applications menu items into their top or bottom panels, or reposition these panels via the Properties menu. To prevent users from reconfiguring their panels, set the locked-down boolean for mate-panel. This can be set interactively, by selecting Applications → System Tools → dconf Editor. The following screen image shows how to lock down the panels. dconf It is also possible to restrict other customizations using the lockdown item in the desktop submenu.

4 Configuring the Trusted Stripe¶

By default the Trusted Stripe is positioned at the top of the screen, above tthe MATE panels. Alternatively the Trusted Stripe may be positioned at the bottom of the screen, by editing the file /usr/dt/config/Xinitrc.tjds.

 42 # Uncomment the following line to set screenstripe at bottom
 43 #    /usr/bin/tsoljds-setssheight&

The setting will take effect after the next login.

Another relevant man page is TrustedExtensionsPolicy(4).

5 Configuring Desktop Audit Events¶

The X11 protocol audit events, starting with AUE_CreateWindow, that were marked as obsolete in Solaris 11.4 have been restored in TED. The selection manager event, AUE_sel_mgr_xfer has also been restored. The corresponding audit classes, xc, xp , xs, and xx have been restored, and may be assigned via auditconfig(8) or usermod(8) However, these events are only audited if authorizations or privileges were successfully applied.