When I initially created this thread, I did not have the latest patch cluster loaded on my system. Loading the latest patches fixed the problem for my admin and secadmin roles. Unfortunately, I am still unable to open a console or terminal for the primaryadmin role in a labeled zone. (From this point forward console will refer to both console and terminal) In addition, since the original post I have changed root from a user to a role. Now instead of the console opening in the user?s workspace nothing happens when a console is started from either the front panel or workspace menu in the primaryadmin labeled workspace. We are still running Solaris 10 Update 4 w/ Trusted Extensions on x86. The date of the patch cluster installed is 11/09/2007. Finally, as suggested by Glenn I tried creating a rights profile for dtterm to add to the primaryadmin role, but I still could not open a labeled console.
In Trusted Solaris 8 the Primaryadmin rights profile contains the rights profile Privileged Shells. Privileged Shells consists of ksh, csh, and sh running with effective user:group of root:root and all privs. Thus, when you assume the primaryadmin role the ttsession is started by primaryadmin. When you open a console the pseudo-tty, pts, is owned by primaryadmin and the UID is primaryadmin. The UID is changed to root by typing ksh, csh, or sh, but pts is always owned by primaryadmin when the console is initialized using front panel or workspace menu. This is not the case with Solaris 10 w/ Trusted Extensions. It appears that the primaryadmin rights profile consists of all commands being run with root:root as UID/GID. Therefore, the ttsession is run by root. Since there is already an active ttsession running for root it returns session already running and provides PID for the root owned ttsession. It appears no primaryadmin owned ttsession is ever created. When a console is started at admin_low\Trusted Path it is owned by root. If the label is changed to anything other than Trusted Path, nothing happens when the console is started. I am not sure if the rights profile running all commands as root is the issue or if there is a bug, but it seems to be preventing primaryadmin from opening a console at any label other than Trusted Path. I am far from an expert on ToolTalk and Trusted CDE, but from what I can gather it seems that the root owned ttsession is not passing the messages from the primaryadmin session. Could it be because there is no primaryadmin ttsession running and why does it only happen in labeled zones? While there are several bugs related to roles and starting consoles and apps in labeled zones, I could not find a bug ID for this specific problem. Has anyone seen a bug for this? Has anyone using Solaris 10 w/ Extensions been able to open a console in a labeled zone as primaryadmin? This message posted from opensolaris.org
