Hi,

Please give a review for the SMF service policy of virtual console:

1. svc:/system/console-login

     This SMF service serves for all console logins, including virtual
     console logins.  The default instance is used for the system
     console, and other instances (vt2 to vt6) are used for virtual
     consoles.

     The SMF manifest delivers as:
         /var/svc/manifest/system/console-login.xml
     And the method delivers as:
         /lib/svc/method/console-login

     To meet the SMF policy, this service is delivered as follows:

     o The default instance is delivered enabled since it's needed
       in seed repository. Other instances for virtual consoles are
       delivered disabled, and are enabled in generic_limited_net.xml
       profile and generic_open.xml, and are disabled when they're
       in non-global zones or when the virtual console functionality
       is not available.

     o The service is managed using the action_authorization
       "solaris.smf.manage.vt" which is included in the Device Security
       Rights Profile.

     o The service is local only and has no inbound network ports.

     o The service properties are managed using the value_authorization
       "solaris.smf.value.vt".

     o The service implements ttymon(1M) and login(1), which are
       in nature requires full privileges, and the following
       method context is used for this service:

                 <method_context>
                         <method_credential user='root' group='root' />
                 </method_context>


2. svc:/system/vtdaemon:default

     This SMF service serves for secure switch between all virtual
     consoles including the system console .

     The SMF manifest delivers as:
         /var/svc/manifest/system/vtdaemon.xml
     And the method delivers as:
         /lib/svc/method/vtdaemon

     To meet the SMF policy, this service is delivered as follows:

     o The service is delivered disabled, and is enabled in
       generic_limited_net.xml profile and generic_open.xml,
       and is disabled when they're in non-global zones or
       when the virtual console functionality is not available.

     o The service is managed using the action_authorization
       "solaris.smf.manage.vt" which is included in the Device Security
       Rights Profile.

     o The service is local only and has no inbound network ports.

     o The service properties are managed using the value_authorization
       "solaris.smf.value.vt".

     o The service implements project private /usr/sbin/vtdaemon,
       which are in nature requires full privileges, and the following
       method context is used for this service:

                 <method_context>
                         <method_credential user='root' group='root' />
                 </method_context>



Thanks,

Riny

Reply via email to