Installation Guide

The purpose of this document is to guide the system administrator in successfully installing and updating the TED software on the Solaris 11.4 Operating System. Configuring Trusted Extensions is generally outside the scope of this installation guide.

1 Prerequisites

  • The Solaris 11.4 support package repository is accessible by means of an Internet connection to Oracle or locally via a local IPS repository
  • An x86 system running Solaris 11.4 (any SRU) is directly connected to the Internet

Systems running Solaris 11.3 should be updated to 11.4 prior to configuring the TED software. Oracle does not support updating labeled zones from Solaris 11.3 to Solaris 11.4 due to packaging restrictions. So any labeled zones must be uninstalled prior to updating to updating to Solaris 11.4

  • Valid certificate and key files have been obtained from Dynamic Systems

2 Using a Secure Shell Connection

We recommend that the initial installation and configuration should be done remotely using ssh or putty. This will make it easier to copy and paste the various command lines from this document, and to report problems while reconfiguring the desktop. After connecting to the Solaris 11.4 system, assume the root role.

    su -

3 Configuring the Publisher Keys and Certificates

  1. Set up the trusted-desktop publisher as the primary source

    pkg set-publisher -c <path-to-certfile> -k <path-to-keyfile> -P -g \ trusted-desktop
  2. Allow previously installed Solaris packages to be updated by the trusted-desktop publisher

    pkg set-publisher --non-sticky solaris

4 Configuring a Local Repository for the TED Software

The trusted-desktop and solaris publishers each require unique credentials. The following Oracle bugs whcih prevented installing packages with this publisher configuration have been fixed in SRU 27:


  • 31753895 - Cannot install non-global zones when two publishers each require unique ssl certificates
  • 31894507 - Backport of Bug 31753895 for 11.4 SRU

If your Solaris system is older than SRU 27 then the following workaround is required. Otherwise it is optional.

4.1 Create a Local Repository

  1. Intialize a local trusted-desktop repository

    pkgrepo create /var/share/pkg/repositories/trusted-desktop
  2. Download the TED repository contents

    pkgrecv -s -d /var/share/pkg/repositories/trusted-desktop -p trusted-desktop --clone

4.2 (Optional) Copy the TED repository to an air-gapped system

  1. Create repository archive

    cd /var/share/pkg/repositories
    find . -depth -print | cpio -oVO trusted-desktop.cpio
  2. After copying the cpio file to the air-gapped system, extract the archive

    cd /var/share/pkg/repositories
    cpio -iVd < trusted-desktop.cpio

4.3 Update the trusted-desktop Publisher

Set the local origin for the trusted-desktop publisher

    pkg set-publisher -P -G '*' —g /var/share/pkg/repositories/trusted-desktop trusted-desktop

5 Installing the TED Software on Solaris 11.4

  1. Install the Trusted Extensions Desktop packages. (Takes approximately 15 min and installs >400 packages)

    pkg install trusted/trusted-extensions

    Reference: Add Trusted Extensions Packages to an Oracle Solaris System

  2. If any Solaris desktop software was previously installed then several pre-existing Solaris packages must to be updated to get the latest TED versions

    pkg update xorg xvnc xscreensaver libwnck3 libxklavier
  3. Verify the TED version

    $ cat /etc/ted-release
    Dynamic Systems Inc. Trusted Extensions Desktop (TED) 1.0 February 2021

The TED software packages are synchronized with Oracle Solaris SRU versions and will be automatically updated when you update to newer SRUs.

6 (Optional) Configuring the Lightdm Display Manager

The lightdm display manager is recommended because it provides better performance and security than gdm.

  1. Disable gdm and enable lightdm (Perform this step with root privileges)

    svcadm disable gdm
  2. Hit return, login and su to root

    svcadm restart dbus
    svcadm restart hal
    svcadm enable lightdm

The login screen should appear. If the background is dark instead of showing the normal red polygons, that indicates that the mime database was not successfully updated. To fix this, do the following as root:

    update-mime-database /usr/share/mime

Login to the desktop with the admin account you created. Verify that the MATE desktop is working correctly. Right-click on the desktop and select Open terminal. Verify that the Terminal window appears. At this point you may assume the root role in the Terminal or continue to use the remote connection.

7 Enabling Solaris Trusted Extensions

The procedures for enabling and managing Trusted Extensions and using the TED software are well documented in the Oracle Solaris web pages, and will not be repeated here. However, there are a few workarounds that are discussed in this section.

The following three files can be updated to allow remote access to the global zone to facilitate debugging:

  1. Verify in /etc/user_attr that the administrative user's clearance is ADMIN_HIGH and min_label is ADMIN_LOW

    ladmin::::lock_after_retries=no;roles=root;clearance=ADMIN_HIGH;min_label=ADMIN_LOW;auth_profiles=System Administrator
  2. Edit /etc/pam.d/other to allow unlabeled hosts to login remotely with ssh

    account required allow_unlabeled
  3. Edit line 17 in /etc/security/tsol/tnrhdb, removing the comment from this line:

This allows unrestricted network connectivity to the global zone.


labeladm enable -r

After logging in you are presented with the Trusted Extensions Message of the Day dialog. Verify the attributes and select OK.


Update the home directory path for the admin user created during installation.

vi /etc/passwd

Change /export/home/<user> to /home/<user>.

See the comments in the Additional Steps section for more information about using the automounter to create home directories in labeled zones.

8 Installing Labeled Zones

There is a bug in Oracle Solaris SRUs 24, 25, and 26 that prevents the installation of labeled zones:


  • 31843025 - AI installation fails on the Solaris 11.4 SRU 24

If you are running on any these SRUs, you may use the following workaround:

Edit line 294 in the file: /usr/lib/python3.7/vendor-packages/solaris/smf/

by appending text=True as follows:

stderr=Popen.DEVNULL, text=True)

There is another bug in the same file that is scheduled to be fixed in SRU 30. The bug treats a successful zone installation as a failure:


  • 32242493 - SMF altroot does not ignore monitoring processes in stop_daemons()

The workaround is to comment out the following four lines starting at 307 :

raise RuntimeError(_("unable to kill process(es) %(pid) "
    "running in %(alt_root)s") %
    {"alt_root": self.alt_root,
    "pid": " ".join(pids)})

The easiest way to install labeled zones is to use txzonemgr. However, even if you prefer your own method, it is still necessary to run txzonemgr at least once because it performs some one-time patching that cannot be done via the pkg command.

  1. Switch to an empty workspace and assume the root role
  2. Start a Terminal and run txzonemgr
  3. To install the two default zones select "Install Public and Internal zones"

  4. Wait until public zone console login prompt appears. Login to verify that your home directory was successfully created. The desktop software requires that the user's home directory exists in each labeled zone

  5. Dismiss the zone console window (click the red x)

  6. Wait for the login prompt in the Internal zone console. Close the zone console window (click the red x)

9 Additional Steps

9.1 Labeled Zone Home Directories

When the global zone and labeled zones are sharing a single name service, the passwd and shadow files are loopback mounted into each labeled zone when it is booted. In Solaris 11.3 TX the automounter automatically creates home directories in labeled zones by interpreting files like: /etc/auto_home_public

This functionality was previously broken in Solaris 11.4 and has been fixed in SRU 30:


  • 31653239 - Automount daemon doesn't create home directories when TrustedExtensions is enabled in 11.4

If you are running an older release, the workaround is to use an executable automount script /etc/auto_homedir. This file is automatically listed in /etc/auto_master when labeled zones are created by txzonemgr.

The use of the automounter to create home directories requires that the user's home directory specification in /etc/passwd starts with /home instead of /export/home. This change must be edited manually in the global zone for existing user accounts. For newly created accounts the home directory pathname specified with useradd(8) should be preceded by localhost:, for example:


9.2 Automatic Zone Booting

Users with the authorization may reboot labeled zones from within a zone. When an authorized user selects a labeled workspace for which the corresponding labeled zone is not currently running, the zone will be booted automatically. The user will receive visual feedback while the zone is being initialized.

9.3 Customizing Workspace Properties

The user may customize labeled workspaces by selecting a unique background image for each uniquely labeled workspace. Select Change Desktop Background from desktop menu (pick something else you like).

Workspace names can also be customized. Select Properties in the workspace switcher to edit the workspace names or create additional workspaces.

9.4 Remote TED Sessions

For remote VNC sessions enable the service:

svcadm enable xvnc-inetd

9.4.1 Gdm

For the gdm display manager edit /etc/gdm/custom.conf.


Then restart the gdm service

svcadm restart gdm

9.4.2 Lightdm

For the lightdm display manager edit the file /etc/lightdm/lightdm.conf.


If there is no physical or virtual monitor connected to the hardware, modify this line, as well:


The file /etc/issue may be used to provide a legal notice prior to logging in. The position of the login window and the legal notice may be customized by editing the file /etc/lightdm/lightdm-gtk-greeter.conf. For example:

position=50% 70%
issue-position=50% 10%

Then restart the lightdm service

svcadm restart lightdm

9.4.3 VirtualBox

When running in VirtualBox , sometimes the keyboard arrows don't work properly. To fix this select the following from the panel menu:


Select the keyboard that matches your host hardware.