Troubleshooting Trusted AIX
The answers to common questions may help you troubleshoot Trusted AIX®.
- How do I login to Trusted AIX?
- Trusted AIX creates
three administrative users during installation with appropriate roles
as given below.
The passwords to these accounts have to be set when the system boots up the first time after Trusted AIX installation. If you installed the system in promptless mode from the network, the password to these default accounts are as below.
User Password isso isso sa sa so so
- How do I su to root?
- At the time of Trusted AIX installation, the su attribute of root is set to false so that no user can access this account.
To access this account the default administrative users, isso and
sa, will have to change this attribute of the root account to true using the chuser command.
If su is enabled to root and password for root account is not set, then any user on the system can access the root account. To avoid this, it is recommended that the password of the root account be set before resetting the su attribute
- Should I create administrative users of my own or use the default administrative users?
- The default administrative users are only for setting up the system
for customization purposes. It is highly recommended, but not necessary,
that these accounts be used only as for customizing the system.
Create your own three administrative users with appropriate roles of isso, sa, and so, and delete or disable these default users.
- Why can't I login to the system?
- If you try to login in as root (account with uid 0) or any account having uid less than 128, access will be denied. These accounts are referred to as system accounts. To access system accounts, you need to login as a non-system account user and su to the account.
- Is any error related to the label encodings file displayed while logging in?
- If the label encodings file is corrupted you will have to enter
single user mode as root user. The root account is accessible only
in single user mode.
Verify that the label encodings file (/etc/security/enc/LabelEncodings) is proper with the labck command. If the file is improper, modify the file and recheck with the labck command before exiting the single user mode.
Run trustchk in interactive mode (trustchk -t ALL) to validate the state of the system.
- Why can't I compile any program on Trusted AIX which uses Trusted AIX library APIs?
- The development toolkit is not installed by default. You will need to install the bos.mls.adt fileset from the installation media.
- How do I correct changes that I made to privileges of commands that caused those commands to stop working correctly?
- Run trustchk in interactive mode (trustchk -t) for those commands to fix the privileges.
- Why can't I access the /etc/security/enc directory?
- To access the /etc/security/enc directory the shell requires the PV_LAB_LEF and PV_MAC_R privileges. Assign these privileges to your shell.
- How do I disable trustchk at boot.
- Remove or comment the
trustchk
line in the /etc/rc.mls script. - How do I prevent the system from prompting for boot authentication at every boot?
- You might have enabled boot authentication for your system. You can disable it using the SMIT menu from the Trusted AIX sub menu.
- Why doesn't my change work when I attempt to change the SL of a file system object?
- There are several possibilities:
- Did /usr/sbin/settxattr return any error messages?
- If so, check those for further information. For example:
- Did you have permission to execute /usr/sbin/settxattr?
- If not, check your privileges and authorizations.
- Was the syntax correct?
- Refer the settxattr man page for syntax.
- Does the requested SL or its abbreviation exist?
- Requesting
"con a b"
will work on a system with a default Label Encodings file (/etc/security/enc/LabelEncodings), but requesting"conf a b"
will not, even though both would seem logical abbreviations for "confidential compartment A compartment B." - Did you need to use quotes for a multiple-word label?
settxattr -f sl=con <filename>
will work,settxattr -f -a sl="con a b" <filename>
will work, butsettxattr -a sl=con a b <filename>
will not work.
- Did settxattr return any error messages?
- If no error messages were returned, the file system object may be a symbolic link. If the object you were trying to change is a symbolic link, first determine whether you wish to change the SL of the link itself or the object that the link points to. settxattr does not follow links but instead sets the labels of the link itself.
- How do I install a third-party application so that it will work correctly on the system?
- If you installed a third party application and it is not working
correctly, it might be accessing certain restricted files or directories
which might require extra privileges. After evaluating the need of
the application to access these restricted objects, determine the
privileges needed as below.
- Assign PV_ROOT to your shell
- Run
tracepriv -f -e <third party command>
This will list the privilege required by the application. Add these to the privileged command database using the setsecattr command.
- Why can't I execute certain commands?
- Since most of the commands are protected by authorizations, execution
of some of the privileged commands will be allowed only if the invoking
user has the corresponding authorization. It can be verified by identifying
whether the authorization required for the command's execution exists
in one of the roles activated for the current session.
Check your active authorizations with
rolelist -ae
and the authorization required by the command usinglssecattr -c <command>
. - Why don't some commands display labels properly.
- Most of these commands rely on the file /etc/security/enc/LabelEncodings for conversion of labels to human readable form and vice-versa. If this file is corrupted, or has been modified, the commands may not function as intended.