This chapter discusses how to work in Solaris Trusted Extensions workspaces. This chapter covers the following topics:Visible Desktop Security in Trusted Extensions Trusted Extensions Logout Process Working on a Labeled System Performing Trusted Actions visibilitydesktop security Trusted Extensions offers two desktops, the Solaris Trusted Extensions (CDE) desktop and the Solaris Trusted Extensions (GNOME) desktop. Both desktops are labeled, but the labels might not be visible when you are working at a single label. To view an example of a system that is configured to display labels, see Figure 1–4.trusted symbolon Trusted CDE workspacelabelsvisible on desktopA system that is configured with Trusted Extensions displays the trusted stripe except during login and screen lock. At all other times, the trusted stripe is visible. In Trusted CDE, the stripe is at the bottom of the screen. In Trusted GNOME, the stripe is at the top of the screen. The trusted symbol appears on the trusted stripe when you interact with the trusted computing base. When you change your password, for example, you interact with the TCB.trusted stripeon multiheaded systemmultiheaded systemtrusted stripeWhen the monitors of a multiheaded Trusted Extensions system are configured horizontally, one trusted stripe appears across the monitors. However, if the multiheaded system is configured to display vertically, or has separate desktops, one per monitor, then the trusted stripe appears on one monitor only.If a second trusted stripe appears on a multiheaded system, the stripe is not generated by the operating system. You might have an unauthorized program on your system. Contact your security administrator immediately. To determine the correct trusted stripe, see How to Regain Control of the Desktop’s Current Focus in Solaris Trusted Extensions Administrator’s Procedures. For details about the applications, menus, labels, and features of the desktop, see Chapter 4, Elements of Trusted Extensions (Reference). logging outuser responsibilities user responsibilitieswhen leaving workstation A workstation that is logged in to, but left unattended, creates a security risk. Make a habit of securing your workstation before you leave. If you plan to return soon, lock your screen. At most sites, the screen automatically locks after a specified period of idleness. If you expect to be gone for awhile, or if you expect someone else to use your workstation, log out. visibilitytrusted stripetrusted stripewhat to do if missingtroubleshootingmissing trusted stripeno trusted stripetroubleshootingSecurity Administrator rolecontacting about missing trusted stripeIf the trusted stripe is missing from your workspace, contact the  security administrator. The problem with your system could be serious.The trusted stripe should not appear during login, or when you lock your screen. If the trusted stripe shows, contact the administrator immediately. userslocking your screen If you leave your workstation briefly, lock the screen. To lock your screen, do one of the following:In Trusted CDE, click the screen lock icon in the workspace switch area of the Front Panel.

Front panel shows the screen lock icon to the left of the switch area, and the exit button to the right.

In Trusted GNOME, choose Lock Screen from the Main menu.The screen turns black. At this point, only you can log in again.unlabeled screenslockscreentrusted stripenot on lockscreenThe trusted stripe should not appear when the screen is locked. If the stripe does appear, notify the security administrator immediately. usersunlocking your screenTo unlock your screen, do the following:Move your mouse until the Lock Screen dialog box is visible.If the Lock Screen dialog box does not appear, press the Return key. Type your password.This action returns you to your session in its previous state. logging outprocedure userslogging out responsibilitiesusers when logging out usersresponsibilitieswhen leaving workstation At most sites, the screen automatically locks after a specified period of idleness. If you expect to leave the workstation for awhile, or if you expect someone else to use your workstation, log out. To log out, do one of the following:In Trusted CDE, click the EXIT icon in the workspace switch area of the Front Panel.For a picture of the Front Panel, see Figure 3–1.The Logout Confirmation dialog box is displayed. Dialog box titled Logout Confirmation shows OK, Cancel, and Help buttons. Text tells you that your current session is saved. In Trusted GNOME, choose Log Out your-name from the Main menu. Confirm that you want to continue to log out.Click OK to log out. Otherwise, click Cancel. Workspace MenuSuspend System Suspend System menu item shutting down a workstation usersshutting down a workstation Main MenuShut Down Shut Down menu item Logging out is the normal way to end a Trusted Extensions session. Use the following procedure if you need to turn off your workstation.If you are not on the console, you cannot shut down the system. For example, Sun Ray clients cannot shut down the system. To shut down the system, do one of the following:In Trusted GNOME, choose Shut Down from the Main menu.Confirm the shutdown. In Trusted CDE, choose Suspend System from the Workspace menu.Click mouse button 3 over the background to open the menu.Confirm what you want to do.Click Shutdown to shut down your system. Click Suspend to put your system in power-saving mode. Otherwise, click Cancel. Stop-A (L1-A) keyboard combinationBy default, the keyboard combination Stop-A (L1-A) is not available in Trusted Extensions. The security administrator can change this default. filesviewing in a workspace usersviewing files in a workspace To view your files, you use the same applications that you would use in Trusted CDE or Trusted GNOME on a Solaris system. If you are working at multiple labels, only the files that are at the label of the workspace are visible. In a Trusted CDE workspace, open a terminal window or the File Manager.Open a terminal window and list the contents of your home directory.Click mouse button 3 over the background. From the Workspace menu, choose Programs –> Terminal. File Managerviewing contentsOn the Front Panel, click the File Manager.

Screen shows a File Manager that is labeled PUBLIC with files in the File Manager.

The File Manager appears with the contents of your home directory at that label.The File Manager opens at the same label as the current workspace. The application provides access to only those files that are at its label. For details about viewing files at different labels, see Containers and Labels. File Browserviewing contentsIn a Trusted GNOME workspace, open a terminal window or the File Browser.Open a terminal window and list the contents of your home directory.Click mouse button 3 over the background. From the menu, choose Open Terminal. File Browserviewing contentsDouble-click the Documents folder or the This Computer folder on your desktop.These folders open in a File Browser. The File Browser application opens at the same label as the current workspace. The application provides access to only those files that are at its label. For details about viewing files at different labels, see Containers and Labels. man pages in Trusted Extensions accessingman pages in Trusted Extensions help in Trusted Extensionsman pages usersgetting online help In the Solaris Express Community Edition release, review the trusted_extensions5 man page in a terminal window.% man trusted_extensionsFor a list of user commands that are specific to Trusted Extensions, see Appendix E, List of Trusted Extensions Man Pages, in Solaris Trusted Extensions Administrator’s Procedures. The man pages are also available from Sun's documentation web site. help in Trusted Extensionsonline help usersfinding online help for Trusted Extensions findingonline help for Trusted Extensions Trusted CDEfinding online help for Trusted ExtensionsIn Trusted CDE, click the Help icon on the Front Panel.

A window titled Help Viewer shows Solaris Trusted Extensions desktop help.

Click the Index button. In the index, search All Volumes for the word Trusted. Click the links to find help that is specific to Trusted Extensions. Trusted GNOMEonline helpTrusted Path menuusingIn Trusted GNOME, click Help from the Trusted Path menu.To open the Trusted Path menu, click the trusted symbol at the left of the trusted stripe. To find task-specific help, click the Help button on the trusted application that you are currently using, such as the Device Manager. customizingWorkspace Menu Workspace Menucustomizing Trusted CDEcustomizing the Workspace Menu userscustomizing the Workspace Menu In Trusted CDE, users and roles can customize the Workspace menu for each distinct label. In your current workspace, start to customize the Workspace menu.To add one or more items to the menu, choose the Add Item to Menu item.A dialog box with a Browse button appears. To modify the menu or menu properties, choose Customize Menu item.A File Manager appears. If you are adding items to the Workspace menu, do the following:For each program, find the program and add it.Click the Browse button to show the files that are available for this workspace at this label. Select the program. Close the window.The items are added to the top of the Workspace menu. If you are modifying the Workspace menu, do the following:To remove a menu item, click mouse button 3 over the item and click Put in Trash. To change properties, such as permissions, click mouse button 3 over the item and click Properties.You can modify permissions here. You can also view file information and file sensitivity label. Confirm the menu changes, or cancel.To confirm your changes, choose File –> Update Workspace Menu.The Workspace menu reflects your changes. To cancel your changes, choose File –> Close. linking files at different labelsby using .link_files filesaccessing initialization files at every label accessinginitialization files at every label initialization filesaccessing at every label usersaccessing initialization files at every label files$HOME/.copy_files files$HOME/.link_files .copy_files filecreating .link_files filecreating creating$HOME/.copy_files file creating$HOME/.link_files file Linking a file or copying a file to another label is useful when you want to make a file with a lower label visible at higher labels. The linked file is only writable at the lower label. The copied file is unique at each label and can be modified at each label. For more information, see .copy_files and .link_files Files in Solaris Trusted Extensions Administrator’s Procedures. You must be logged in to a multilevel session. Your site's security policy must permit linking.Work with your administrator when modifying these files. Decide which initialization files you want to link to other labels. Create or modify the ~/.link_files file.Type your entries one file per line. You can specify paths to subdirectories in your home directory, but you cannot use a leading slash. All paths must be within your home directory. Decide which initialization files you want to copy to other labels.Copying an initialization file is useful when you have an application that always writes to a file with a specific name, and you need to separate the data at different labels. Create or modify the ~/.copy_files file.Type your entries one file per line. You can specify paths to subdirectories in your home directory, but you cannot use a leading slash. All paths must be within your home directory. In this example, the user wants to customize several initialization files per label. In her organization, a company web server is available at the Restricted level. So, she sets different initial settings in the .mozilla file at the Restricted level. Similarly, she has special templates and aliases at the Restricted level. So, she modifies the .aliases and .soffice initialization files at the Restricted level. She can easily modify these files after creating the .copy_files file at her lowest label.% vi .copy_files # Copy these files to my home directory in every zone .aliases .mozilla .soffice In this example, the user wants her mail defaults and shell defaults to be identical at all labels.% vi .link_files # Link these files to my home directory in every zone .cshrc .mailrc troubleshooting$HOME/.copy_files filetroubleshooting$HOME/.link_files file.copy_files filetroubleshooting.link_files filetroubleshootingThese files do not have safeguards for dealing with anomalies. Duplicate entries in both files or file entries that already exist at other labels can cause errors. determininglabel of a window Query Window Label menu item labelsdetermining by window query Trusted Path menuQuery Window Label This operation can be useful when your system is not configured to display labels in the window frames. Choose Query Window Label from the Trusted Path menu.The pointer changes to a question mark. Move the pointer around the screen.The label for the region under the pointer is displayed in a small rectangular box at the center of the screen.

Screen shows a window with a Query Window Label pointer, and a Window Label indicator that shows the label of the window being queried.

Click the mouse button to end the operation. desktopscommon tasks Some common tasks are affected by labels and security. In particular, the following tasks are affected by Trusted Extensions:Emptying the trash Finding calendar events In Trusted CDE, restoring the Front Panel and using the Style Manager Empty the trash.The trash can contains files only at the label of the workspace. Delete sensitive information as soon as the information is in the trash can.In Trusted CDE, open the Trash Can on the Front Panel.Choose File -> Select All, then File -> Shred. Then, confirm. In Trusted GNOME, click mouse button 3 over the Trash Can icon on the desktop.Choose Empty Trash, then confirm. findingcalendar events at every labelFind calendar events at every label.Calendars show only the events at the label of the workspace that opened the calendar.In a multilevel session, open your calendar from a workspace that has a different label. In a single-level session, log out. Then, log in at a different label to view the calendar events at that label. In Trusted CDE, restore the Front Panel by clicking the trusted stripe.A minimized Front Panel is restored. customizingdesktopTrusted GNOMEcustomizing the desktopTrusted CDEcustomizing the desktopOn both desktops, save a customized desktop at every label.You can customize the workspace configuration for every label at which you log in.Configure the desktop.Arrange windows, establish the font size, and perform other customizations.Users can save desktop configurations. Roles cannot save desktop configurations. Save the current workspace.In Trusted CDE, open the Style Manager. Choose your settings in the Startup icon.Trusted CDEusing the Style ManagerStyle Managerrequires the trusted pathThe Style Manager requires the trusted path. Run the Style Manager from the Front Panel or from the Workspace menu, where the Style Manager has the trusted path. Your desktop is restored in this configuration when you next log in at this label. In Trusted GNOME, click the Main menu.Click Preferences > Sessions. Click the Session Options button. Click Remember currently running applications, then close the dialog box. Your desktop is restored in this configuration when you next log in at this label. trusted computing base (TCB)procedures that interact with the TCB The following security-related tasks require the trusted path.If the trusted symbol is missing when you are attempting a security-related action, contact your security administrator at once. The problem on your system could be serious. changingyour password userschanging your password Trusted Path menuChange Password Change Password menu item hot keyregaining control of desktop focus key combinationstesting if grab is trusted trusted grabkey combination desktopskeyboard focus Unlike the Solaris OS, Trusted Extensions provides a GUI for changing your password. The GUI grabs the pointer until the password operation is completed. To stop a process that has grabbed the pointer, see How to Regain Control of the Desktop’s Current Focus in Solaris Trusted Extensions Administrator’s Procedures. Choose Change Password from the Trusted Path menu.For the Change password menu item in Trusted GNOME, click Trusted Path in the trusted stripe.The following figure shows the Trusted Path menu in Trusted CDE. Screen shows the basic Trusted Path menu. Type your current password.This action confirms that you are the legitimate user for this user name. For security reasons, the password is not displayed as you type.When you type your password, make sure that the cursor is over the Change Password dialog box and that the trusted symbol is displayed. If the cursor is not over the dialog box, you might inadvertently type your password into a different window where the password could be seen by another user. If the trusted symbol is not displayed, then someone might be attempting to steal your password. Contact your security administrator at once. Type the new password. Confirm the password by retyping it. Style Managerchanging session characteristicsworkspacessetting default labellogging inat a different labeluserslogging in at a different labelThe label of the first workspace that appears in subsequent login sessions after the first login can be set to any label within your label range.Users can configure the startup session characteristics for every label at which they log in.. You must be logged in to a multilevel session. Create workspaces at every label.For details, see How to Add a Workspace at a Particular Label. Configure each workspace as you want the workspace to appear. Go to the workspace that you want to see when you log in. Save this current workspace.For details, see How to Perform Some Common Desktop Tasks in Trusted Extensions. devicesusing devicesallocating Trusted Path menuAllocate Device Allocate Device menu item allocating a device usersallocating a device The Allocate Device menu item enables you to mount and allocate a device for your exclusive use. If you try to use a device without allocating it, you get the error message “Permission Denied”. You must be authorized to allocate a device. Choose Allocate Device from the Trusted Path menuOr, in Trusted CDE, open the Device Allocation Manager from the Tools subpanel in the Front Panel.

Screen shows the icon for the Device Allocation Manager on the Front Panel.

The Device Allocation Manager is displayed. In Solaris Trusted Extensions (GNOME), this GUI is called the Device Manager.

Screen shows the Device Allocation Manager with an audio device in the Available Devices list.

Double-click the device that you want to use.The devices that you are permitted to allocate at your current label appear under Available Devices:.audion – Indicates a microphone and speaker cdromn – Indicates a CD-ROM drive floppyn – Indicates a diskette drive mag_tapen – Indicates a tape drive (streaming) rmdiskn – Indicates a removable disk, such as a JAZ or ZIP drive, or USB hot-pluggable media Select the device.Move the device from the Available Devices list to the Allocated Devices list.Double-click the device name in the Available Devices list. Or, select the device and click the Allocate button that points to the right. This step starts the clean script. The clean script ensures that no data from other transactions remains on the media.Note that the label of the current workspace is applied to the device. Any data transferred to or from the device's media must be dominated by this label. Follow the instructions.The instructions ensure that the media has the correct label. Then, the device is mounted. The device name now appears in the Allocated Devices list. This device is now allocated for your exclusive use. devicesusing removable media allocatingremovable media mountingremovable media In this example, a user wants to load information onto her system from a CD-ROM that is labeled SECRET. She is authorized to allocate the CD-ROM.First, she creates a workspace at the label SECRET. In this workspace, she opens the Device Allocation Manager, and allocates the CD-ROM drive. Then, she inserts the CD and responds yes to the mount query.The software mounts the CD and the File Manager appears. The current directory is set to the mount point. allocatingmedia for formatting formattingremovable media In this example, a user wants to format a diskette to contain SECRET data. She is authorized to allocate the CD-ROM drive.First, she creates a workspace at the label SECRET. In this workspace, she opens the Device Allocation Manager, and allocates the CD-ROM drive. Then, she inserts the CD and responds no to the mount query. The CD can now be formatted. In this example, a user allocates the audio device on her system. When she moves the audio device to the Allocated Device list, the following message appears: Dialog box displays warning text about microphone use. The device is allocated at the label Confidential : Internal Use Only. She views the label when she selects the device in the Allocated Device list. When the audio device is selected in the Allocated Devices list, its label appears in the Label field. When the user is finished with the audio device, she deallocates it. The system reminds her to turn off the microphone. Dialog box displays warns user to turn off microphone. allocating a devicetroubleshootingtroubleshootingdevice allocationdevicestroubleshootingIf the device that you want to use does not appear in the list, check with your administrator. The device could be in an error state or in use by someone else. Or, you might not be authorized to use the device.If you switch to a different role workspace or to a workspace at a different label, the allocated device cannot work at that label. To use the device at the new label, you need to deallocate the device at the initial label, and then allocate the device at the new label. In Trusted CDE, when you use the Occupy Workspace command from the window menu to move the Device Allocation Manager to the new workspace, the Available and Allocated Devices lists change to reflect the correct context. The Device Manager in Trusted GNOME works similarly when you move the GUI to a workspace at a different label.troubleshootingFile Manager not appearingFile Managertroubleshooting when it does not appearFile Browsertroubleshooting when it does not appearIf a File Manager or File Browser window does not appear, open the window manually, then navigate to the root directory, /. In this directory, navigate to the allocated device to see its contents. Device Allocation Managerdeallocating devices deallocating devicesbasic procedure Deallocate the device.Go to the workspace where the Device Allocation Manager is displayed. Move the device to be deallocated from the list of allocated devices. Remove the media. Click OK in the Deallocation dialog box.The device is now available for use by another authorized user. assuming a role usersassuming a role Trusted Path menuAssume rolename role Assume rolename role menu item Unlike the Solaris OS, Trusted Extensions provides a GUI for assuming a role. findingTrusted Path menuOpen the Trusted Path menu.In Solaris Trusted Extensions (CDE), click the center of the Front Panel.If you have been assigned a role by the security administrator, the Trusted Path menu includes the Assume rolename Role menu item.Choose Assume rolename Role. In Solaris Trusted Extensions (GNOME), click your user name at the right of the trusted symbol.Choose the role name from the menu. Type the role password and press Return.This action confirms that you can legitimately assume this role. For security reasons, the password is not displayed as you type.When you type your password, make sure that the cursor is over the Change Password dialog box and that the trusted symbol is displayed. If the cursor is not over the dialog box, you might inadvertently type your password into a different window where the password could be seen by another user. If the trusted symbol is not displayed, then someone might be attempting to steal your password. Contact your security administrator at once. After the role password is accepted, the software places you in a role workspace. In Trusted GNOME, the current workspace becomes the role workspace. In Trusted CDE, a new workspace is created for the role. You are in the global zone. You can perform the tasks that are permitted by the rights profiles in your role. Change Workspace Label menu item Trusted Path menuChange Workspace Label roleschanging workspace label userschanging workspace label changingworkspace label The ability to set workspace labels in Trusted Extensions provides a convenient means of working at different labels within the same session.Use this procedure to work in the same workspace at a different label. To create a workspace at a different label, see How to Add a Workspace at a Particular Label. You must be logged in to a multilevel session. Click mouse button 3 over the workspace button. From the menu, choose Change Workspace Label. Choose a label from the label builder.The workspace label is changed to the new label. Windows and applications that were invoked before the label change continue to run at the previous label. The trusted stripe indicates the new label. In a system where labels are color-coded, new windows are marked with the new color. In Trusted CDE, the workspace button is color-coded. rolesadding a labeled workspace usersadding a labeled workspace addingworkspaces addinglabeled workspace The ability to set workspace labels in Trusted Extensions provides a convenient means of working at different labels within the same session. On both desktops, you can add a workspace at your minimum label. In Trusted CDE, you can add a workspace at the label of an existing workspace.In Trusted CDE, rename each workspace button to reflect the label of the workspace. To change the label of the current workspace, see How to Change the Label of a Workspace. You must be logged in to a multilevel session. In Trusted GNOME, to create a workspace at your minimum label, do the following:Click mouse button 3 over a workspace box in the panel display. From the menu, choose Preferences. Increase the number in the Number of Workspaces field.The new workspaces are created at your minimum label. You can also use this dialog box to name the workspaces.In Trusted GNOME, to add a workspace at a different label, you select a workspace box and change its label. For details, see How to Change the Label of a Workspace. In Trusted CDE, to create a workspace at your minimum label, do the following:Click mouse button 3 over the Workspace Switch Area. From the menu, choose Add Workspace.The workspace is created at your minimum label. Rename the workspace. In Trusted CDE, to create a workspace at the label of an existing workspace, do the following:Click mouse button 3 over the workspace button. From the menu, choose Add Workspace.The workspace is created at the label of the workspace button. usersswitching to a workspace at a different label switching to a workspace at a different label In Trusted CDE, click the workspace switch at that label.

Screen shows a Front Panel with four switches at three different labels.

In Trusted GNOME, click the workspace box on the panel display.You are now in that labeled workspace. If you are logged in to a single-level session, you must log out to work at a different label. Then, log in at the desired label. If you are permitted, you can also log in to a multilevel session. usersmoving a window to a workspace at a different label movinga window to a workspace at a different label Windows that are moved to a different workspace retain their original label. Any actions that are done in those windows are done at the label of the window, not at the label of the containing workspace. Moving a window is useful when you want to compare information. You might also want to use applications at different labels without moving between workspaces. In Trusted CDE, use the Occupy Workspace menu to move a window to a different workspace.From the application's window menu, choose Occupy Workspace.

Screen shows the Occupy Workspace dialog box.

Choose a workspace at a different label, then click OK.This action moves the application to a workspace that has a different label. Note that the Occupy Workspace dialog box has the label Trusted Path. This label indicates that occupying a workspace affects the trusted computing base.The following figure shows two terminal windows at different labels in one workspace.

Screen shows a Public window and a Confidential window in one workspace.

In Trusted GNOME, in the panel display, drag the window from its original workspace box to a different workspace box.The dragged window now appears in the second workspace. datadetermining label of usersdetermining the label of a file determininglabel of a file Usually, the label of a file is obvious. However, if you are allowed to view files at a lower label than your current workspace, the label of a file might not be obvious. In particular, the label of a file can be different from the label of the File Manager. In Trusted CDE, use the File Manager to determine the label of the file.In the File Manager, select the file, then choose the File -> Properties menu item.Read the value of the file's Sensitivity Label property. Or, drag the file from the containing File Manager onto the desktop.The file icon displays the label of the file. File Browserdisplaying label of fileIn Trusted GNOME, use the File Browser.You can also use the Query Label menu item from the Trusted Path menu. authorizationsrequired to change label of data datachanging label of selectionchanging label usersauthorized to change security level of data labelschanging label of data changingsecurity level of data movingdata to different label usersmoving data between labels As on a Solaris system, you can move data between windows in Trusted Extensions. However, the data must be at the same label. When you transfer information between windows with different labels, you are upgrading or downgrading the sensitivity of that information. Your site's security policy must permit this type of transfer, the containing zone must permit relabeling, and you must be authorized to move data between labels.Therefore, your administrator must have completed the following tasks:How to Enable Files to be Relabeled From a Labeled Zone in Solaris Trusted Extensions Administrator’s Procedures How to Enable a User to Change the Security Level of Data in Solaris Trusted Extensions Administrator’s Procedures You must be logged in to a multilevel session. Create workspaces at both labels.For details, see How to Add a Workspace at a Particular Label. Confirm the label of the source file.For details, see How to Determine the Label of a File. Move the window with the source information to a workspace at the target label.For details, see How to Move a Window to a Different Workspace. The following figure shows two editors at different labels in the same workspace.

Illustration shows 2 text editors at 2 different labels in one workspace, and 2 file managers at different labels.

Highlight the information to be moved, and paste the selection in the target window.Selection ManagerThe Selection Manager Confirmation dialog box is displayed. Review the Selection Manager Confirmation dialog box.This dialog box:Describes why confirmation of the transaction is needed. Identifies the label and the owner of the source file. Identifies the label and the owner of the destination file. Identifies the type of data that was selected for transfer, the type of the target file, and the size of the data in bytes. By default, the selected data is visible in text format. Indicates the time that remains for you to complete the transaction. The amount of time and the use of the timer depends on your site's configuration.

Window titled Selection Manager shows the source, destination, and transaction information for text being transferred from one window to another.

In the View As menu, choose how to view the source information.Choose hexadecimal to view the data in hexadecimal format. Choose None to hide the data altogether.By resetting the View As menu, you affect the displays of subsequent transfers. Choose None for selections that consist of unreadable data. Confirm that you want the label of the data to change.Click Cancel to stop the transaction. Otherwise, click OK. fileschanging labels directorieschanging labels usersauthorized to change label of file changinglabels by authorized users changingsecurity level of data movingfile to different label filesmoving between File Managers labelschanging label of files File Manager changing labels usersmoving files between labels As on a standard Solaris system, you can move files in Trusted Extensions. When you move a file to a different label, you are upgrading or downgrading the sensitivity of the information that is in the file. Your site's security policy must permit this type of transfer, the containing zone must permit relabeling, and you must be authorized to move files between labels.Therefore, your administrator must have completed the following tasks:How to Enable Files to be Relabeled From a Labeled Zone in Solaris Trusted Extensions Administrator’s Procedures How to Enable a User to Change the Security Level of Data in Solaris Trusted Extensions Administrator’s Procedures File Browserchanging labelsYou must be logged in to a multilevel session in Trusted CDE. The file that you want to move must be closed. Verify that no one else is using this file. Create workspaces at both labels.For details, see How to Add a Workspace at a Particular Label. Open File Managers at both labels.For details, see How to View Your Files in a Labeled Workspace. In the source File Manager, navigate to the file whose label is to change. In the target File Manager, navigate to the file's new directory. Move the File Managers into one workspace.For details, see How to Move a Window to a Different Workspace.

Illustration shows file managers at 2 different labels in the same workspace.

Drag and drop the file to the target directory.

Illustration shows file managers at 2 different labels, and a file being dragged from one manager to the other.

The File Manager Confirmation dialog box is displayed, as shown in Figure 3–14.This dialog box is similar to the Selection Manager Confirmation dialog box, but does not include a timer. This dialog box:Describes why confirmation of the transaction is needed. Identifies the label and the owner of the source file. Identifies the label and the owner of the destination file. Identifies the type of data that was selected for transfer, the type of the target file, and the size of the data in bytes.

Window titled FileManager Drag And Drop Confirmer, label Trusted Path, shows the source, destination, and transfer information for a dragged file.

Confirm that you want the label of the file to change.Click Cancel to stop the transaction. Click Apply to move the file to the new label. fileslinking between File Managers at different labels File Manager changing file labels userslinking files at different labels linking files at different labels The linking of a file to another label is useful when you want to view a file with a lower label at a higher label. The file is writable only at the lower label.To link a file, the user presses Shift-Control while dragging the file icon from the source File Manager to the target File Manager. Then, the user confirms the link, or cancels the operation. troubleshootingrelabeling fileschanging labelstroubleshootingIf your system is not configured to permit the upgrading or downgrading of labels, a dialog box that states that the transfer is not authorized is displayed. Check with your administrator.