Hi,
Please give a review for the SMF service policy of virtual console:
1. svc:/system/console-login
This SMF service serves for all console logins, including virtual
console logins. The default instance is used for the system
console, and other instances (vt2 to vt6) are used for virtual
consoles.
The SMF manifest delivers as:
/var/svc/manifest/system/console-login.xml
And the method delivers as:
/lib/svc/method/console-login
To meet the SMF policy, this service is delivered as follows:
o The default instance is delivered enabled since it's needed
in seed repository. Other instances for virtual consoles are
delivered disabled, and are enabled in generic_limited_net.xml
profile and generic_open.xml, and are disabled when they're
in non-global zones or when the virtual console functionality
is not available.
o The service is managed using the action_authorization
"solaris.smf.manage.vt" which is included in the Device Security
Rights Profile.
o The service is local only and has no inbound network ports.
o The service properties are managed using the value_authorization
"solaris.smf.value.vt".
o The service implements ttymon(1M) and login(1), which are
in nature requires full privileges, and the following
method context is used for this service:
<method_context>
<method_credential user='root' group='root' />
</method_context>
2. svc:/system/vtdaemon:default
This SMF service serves for secure switch between all virtual
consoles including the system console .
The SMF manifest delivers as:
/var/svc/manifest/system/vtdaemon.xml
And the method delivers as:
/lib/svc/method/vtdaemon
To meet the SMF policy, this service is delivered as follows:
o The service is delivered disabled, and is enabled in
generic_limited_net.xml profile and generic_open.xml,
and is disabled when they're in non-global zones or
when the virtual console functionality is not available.
o The service is managed using the action_authorization
"solaris.smf.manage.vt" which is included in the Device Security
Rights Profile.
o The service is local only and has no inbound network ports.
o The service properties are managed using the value_authorization
"solaris.smf.value.vt".
o The service implements project private /usr/sbin/vtdaemon,
which are in nature requires full privileges, and the following
method context is used for this service:
<method_context>
<method_credential user='root' group='root' />
</method_context>
Thanks,
Riny
