Troubleshooting Trusted AIX

Edit online

The answers to common questions may help you troubleshoot Trusted AIX®.

How do I login to Trusted AIX?
Trusted AIX creates three administrative users during installation with appropriate roles as given below.

The passwords to these accounts have to be set when the system boots up the first time after Trusted AIX installation. If you installed the system in promptless mode from the network, the password to these default accounts are as below.

User Password
isso isso
sa sa
so so
How do I su to root?
At the time of Trusted AIX installation, the su attribute of root is set to false so that no user can access this account. To access this account the default administrative users, isso and sa, will have to change this attribute of the root account to true using the chuser command.

If su is enabled to root and password for root account is not set, then any user on the system can access the root account. To avoid this, it is recommended that the password of the root account be set before resetting the su attribute

Should I create administrative users of my own or use the default administrative users?
The default administrative users are only for setting up the system for customization purposes. It is highly recommended, but not necessary, that these accounts be used only as for customizing the system.

Create your own three administrative users with appropriate roles of isso, sa, and so, and delete or disable these default users.

Why can't I login to the system?
If you try to login in as root (account with uid 0) or any account having uid less than 128, access will be denied. These accounts are referred to as system accounts. To access system accounts, you need to login as a non-system account user and su to the account.
Is any error related to the label encodings file displayed while logging in?
If the label encodings file is corrupted you will have to enter single user mode as root user. The root account is accessible only in single user mode.

Verify that the label encodings file (/etc/security/enc/LabelEncodings) is proper with the labck command. If the file is improper, modify the file and recheck with the labck command before exiting the single user mode.

Run trustchk in interactive mode (trustchk -t ALL) to validate the state of the system.

Why can't I compile any program on Trusted AIX which uses Trusted AIX library APIs?
The development toolkit is not installed by default. You will need to install the bos.mls.adt fileset from the installation media.
How do I correct changes that I made to privileges of commands that caused those commands to stop working correctly?
Run trustchk in interactive mode (trustchk -t) for those commands to fix the privileges.
Why can't I access the /etc/security/enc directory?
To access the /etc/security/enc directory the shell requires the PV_LAB_LEF and PV_MAC_R privileges. Assign these privileges to your shell.
How do I disable trustchk at boot.
Remove or comment the trustchk line in the /etc/rc.mls script.
How do I prevent the system from prompting for boot authentication at every boot?
You might have enabled boot authentication for your system. You can disable it using the SMIT menu from the Trusted AIX sub menu.
Why doesn't my change work when I attempt to change the SL of a file system object?
There are several possibilities:
Did /usr/sbin/settxattr return any error messages?
If so, check those for further information. For example:
Did you have permission to execute /usr/sbin/settxattr?
If not, check your privileges and authorizations.
Was the syntax correct?
Refer the settxattr man page for syntax.
Does the requested SL or its abbreviation exist?
Requesting "con a b" will work on a system with a default Label Encodings file (/etc/security/enc/LabelEncodings), but requesting "conf a b" will not, even though both would seem logical abbreviations for "confidential compartment A compartment B."
Did you need to use quotes for a multiple-word label?
settxattr -f sl=con <filename> will work, settxattr -f -a sl="con a b" <filename> will work, but settxattr -a sl=con a b <filename> will not work.
Did settxattr return any error messages?
If no error messages were returned, the file system object may be a symbolic link. If the object you were trying to change is a symbolic link, first determine whether you wish to change the SL of the link itself or the object that the link points to. settxattr does not follow links but instead sets the labels of the link itself.
How do I install a third-party application so that it will work correctly on the system?
If you installed a third party application and it is not working correctly, it might be accessing certain restricted files or directories which might require extra privileges. After evaluating the need of the application to access these restricted objects, determine the privileges needed as below.
  • Assign PV_ROOT to your shell
  • Run tracepriv -f -e <third party command>

This will list the privilege required by the application. Add these to the privileged command database using the setsecattr command.

Why can't I execute certain commands?
Since most of the commands are protected by authorizations, execution of some of the privileged commands will be allowed only if the invoking user has the corresponding authorization. It can be verified by identifying whether the authorization required for the command's execution exists in one of the roles activated for the current session.

Check your active authorizations with rolelist -ae and the authorization required by the command using lssecattr -c <command>.

Why don't some commands display labels properly.
Most of these commands rely on the file /etc/security/enc/LabelEncodings for conversion of labels to human readable form and vice-versa. If this file is corrupted, or has been modified, the commands may not function as intended.