TE policies determine how Trusted Execution (TE) operates. Like TSD, TE policies can be stored either locally on an AIX system (/etc/security/tsd/tepolicies.dat) or on an LDAP server.

TE policies are configured using a number of attributes. The most important attribute is “TE“, with the possible values ​​”on” and “off“. This attribute can be used to enable or disable Trusted Execution in the kernel. A number of additional attributes then determine what the kernel checks (CHKEXEC, CHKSHLIB, CHKSCRIPT, CHKKERNEXT):

TE - on (TE is activated) or off (TE is not activated)
CHKEXEC - Executables are checked by the system loader at startup
CHKSHLIB - Shared libraries are checked by the system loader when loading
CHKSCRIPT - Scripts are checked by the system loader at startup
CHKKERNEXT - Kernel Extensions werden beim Laden überprüft

Two further attributes decide what the kernel should do, if a check fails:

STOP_UNTRUSTD - Untrusted executables, libraries, scripts, kernel extensions are not started or loaded
STOP_ON_CHKFAIL - Trusted executables, libraries, scripts, kernel extensions for which the check fails are not started or loaded

There are a few more attributes that will be discussed later.

The TE policies can be enabled, configured, and unconfigured using the trustchk command and the “-p” option.