| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
Mount Possibilities in Trusted Extensions
Trusted Extensions Policies for Mounted File Systems
Trusted Extensions Policy for Single-Level Datasets
Trusted Extensions Policy for Multilevel Datasets
No Privilege Overrides for MAC Read-Write Policy
Results of Sharing and Mounting File Systems in Trusted Extensions
Sharing and Mounting Files in the Global Zone
Sharing and Mounting Files in a Labeled Zone
mlslabel Property and Mounting Single-Level File Systems
Multilevel Datasets for Relabeling Files
Mounting Multilevel Datasets From Another System
NFS Server and Client Configuration in Trusted Extensions
Trusted Extensions Software and NFS Protocol Versions
Backing Up, Sharing, and Mounting Labeled Files (Task Map)
How to Back Up Files in Trusted Extensions
How to Restore Files in Trusted Extensions
How to Share File Systems From a Labeled Zone
How to NFS Mount Files in a Labeled Zone
How to Troubleshoot Mount Failures in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
Lower-level directories can be made visible to users in a higher-level zone. The NFS server for the lower-level directories can be a Trusted Extensions system or an untrusted system.
The trusted system requires server configuration. The untrusted system requires client configuration.
NFS server configuration on a trusted system – To make lower-level directories from a trusted system visible in a labeled zone requires configuring the server.
In the global zone on the NFS server, you must configure the NFS service as a multilevel service.
From the global zone, the administrator must add the net_bindmlp privilege to the limitpriv of the labeled zone.
In the labeled zone, you export the ZFS file system by setting its share properties. When the status of the labeled zone is running, the file system is shared at the label of the zone. For the procedure, see How to Share File Systems From a Labeled Zone.
NFS client configuration for an untrusted NFS server – Because the server is not trusted, the NFS client must be trusted. The net_mac_aware privilege must be specified in the zone configuration file that is used during initial zone configuration. So, a user who is permitted to view all lower-level home directories must have the net_mac_aware privilege in every zone, except the lowest zone. For an example, see How to NFS Mount Files in a Labeled Zone.
Home directories are a special case in Trusted Extensions.
You need to make sure that the home directories are created in every zone that a user can use.
Also, the home directory mount points must be created in the zones on the user's system.
For NFS-mounted home directories to work correctly, the conventional location for directories, /export/home, must be used.
Note - The txzonemgr script assumes that home directories are mounted as /export/home.
In Trusted Extensions, the automounter has been modified to handle home directories in every zone, that is, at every label. For details, see Changes to the Automounter in Trusted Extensions.
Home directories are created when users are created. However, the home directories are created in the global zone of the home directory server. On that server, the directories are mounted by LOFS. Home directories are automatically created by the automounter if they are specified as LOFS mounts.
Note - When you delete a user, only the user's home directory in the global zone is deleted. The user's home directories in the labeled zones are not deleted. You are responsible for archiving and deleting the home directories in the labeled zones. For the procedure, see How to Delete a User Account From a Trusted Extensions System.
However, the automounter cannot automatically create home directories on remote NFS servers. Either the user must first log in to the NFS server or administrative intervention is required. To create home directories for users, see How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server.
In Trusted Extensions, each label requires a separate home directory mount. The automount command has been modified to handle these labeled automounts. For each zone, the automounter, autofs, mounts an auto_home_zone-name file. For example, the following is the entry for the global zone in the auto_home_global file:
+auto_home_global * -fstype=lofs :/export/home/&
When a zone that permits lower-level zones to be mounted is booted, the following occurs. The home directories of lower-level zones are mounted read only under /zone/zone-name/export/home. The auto_home_zone-name map specifies the /zone path as the source directory for an lofs remount onto /zone/zone-name/home/username.
For example, the following is an auto_home_public entry in an auto_home_zone-at-higher-level map that is generated from a higher-level zone:
+auto_home_public * public-zone-IP-address:/export/home/&
The txzonemgr script sets up this PUBLIC entry in the auto_master file in the global zone:
+auto_master /net -hosts -nosuid,nobrowse /home auto_home -nobrowse /zone/public/home auto_home_public -nobrowse
When a home directory is referenced and the name does not match any entries in the auto_home_zone-name map, the map tries to match this loopback mount specification. The software creates the home directory when the following two conditions are met:
The map finds the match of the loopback mount specification
The home directory name matches a valid user whose home directory does not yet exist in zone-name
For details on changes to the automounter, see the automount(1M) man page.
|