JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

Mount Possibilities in Trusted Extensions

Trusted Extensions Policies for Mounted File Systems

Trusted Extensions Policy for Single-Level Datasets

Trusted Extensions Policy for Multilevel Datasets

No Privilege Overrides for MAC Read-Write Policy

Results of Sharing and Mounting File Systems in Trusted Extensions

Sharing and Mounting Files in the Global Zone

Sharing and Mounting Files in a Labeled Zone

mlslabel Property and Mounting Single-Level File Systems

Multilevel Datasets for Relabeling Files

Mounting Multilevel Datasets From Another System

NFS Server and Client Configuration in Trusted Extensions

Home Directory Creation in Trusted Extensions

Changes to the Automounter in Trusted Extensions

Trusted Extensions Software and NFS Protocol Versions

Backing Up, Sharing, and Mounting Labeled Files (Task Map)

How to Back Up Files in Trusted Extensions

How to Restore Files in Trusted Extensions

How to Share File Systems From a Labeled Zone

How to NFS Mount Files in a Labeled Zone

How to Troubleshoot Mount Failures in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Backing Up, Sharing, and Mounting Labeled Files (Task Map)

The following task map describes common tasks that are used to back up and restore data from labeled file systems, and to share and mount file systems that are labeled.

Task
Description
For Instructions
Back up files.
Archives your data while preserving labels.
Restore data.
Restores labeled data from a backup.
Share a labeled file system.
Allows a labeled file system to be accessed by users on other systems.
Mount a file system that is shared by a labeled zone.
Allows the contents of a file system to be mounted read-write in a labeled zone at the same label. When a higher-level zone mounts the shared directory, the directory mounts read-only.
Create home directory mount points.
Creates mount points for every user at every label. This task enables users to access their home directory at every label on a system that is not the NFS home directory server.
Hide lower-level information from a user who is working at a higher label.
Prevents the viewing of lower-level information from a higher level.
Troubleshoot file system mounting problems.
Resolves problems with mounting a file system.

How to Back Up Files in Trusted Extensions

Before You Begin

You must be assigned the Media Backup rights profile. You are in the global zone.

How to Restore Files in Trusted Extensions

Before You Begin

You are in the root role in the global zone.

How to Share File Systems From a Labeled Zone

To mount or share directories that originate in labeled zones, set the appropriate ZFS share properties on the file system, and then restart the zone to share the labeled directories.


Caution

Caution - Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.


Before You Begin

You must be assigned the ZFS File System Management rights profile.

  1. Create a workspace at the label of the file system that is going to be shared.

    For details, see How to Add a Workspace at Your Minimum Label in Trusted Extensions User’s Guide.

  2. In the zone, create the file system.
    # zfs create rpool/wdocs1
  3. Share the file system by setting ZFS share properties.

    For example, the following set of commands shares a documentation file system for writers. The file system is shared read-write so that writers can modify their documents on this server. setuid programs are disallowed.

    # zfs set share=name=wdocs1,path=/wdocs1,prot=nfs,setuid=off,
    exec=off,devices=off rpool/wdocs1
    # zfs set sharenfs=on rpool/wdocs1

    The command line is wrapped for display purposes.

  4. For each zone, share the directories by starting the zone.

    In the global zone, run one of the following commands for each zone. Each zone can share its file systems in any of these ways. The actual sharing occurs when each zone is brought into the ready or running state.

    • If the zone is not in the running state and you do not want users to log in to the server at the label of the zone, set the zone state to ready.
      # zoneadm -z zone-name ready
    • If the zone is not in the running state and users are allowed to log in to the server at the label of the zone, boot the zone.
      # zoneadm -z zone-name boot
    • If the zone is already running, reboot the zone.
      # zoneadm -z zone-name reboot
  5. Display the file systems that are shared from your system.

    In the root role in the global zone, run the following command:

    # zfs get all rpool

    For more information, see Querying ZFS File System Information in Oracle Solaris 11.1 Administration: ZFS File Systems

  6. To enable the client to mount the shared file system, see How to NFS Mount Files in a Labeled Zone.

Example 14-1 Sharing the /export/share File System at the PUBLIC Label

For applications that run at the label PUBLIC, the system administrator enables users to read the documentation in the /export/reference file system of the public zone.

First, the administrator changes the workspace label to public workspace and opens a terminal window. In the window, the administrator sets selected share properties on the /reference file system. The following command is wrapped for display purposes.

# zfs set share=name=reference,path=/reference,prot=nfs,
setuid=off,exec=off,devices=off,rdonly=on rpool/wdocs1

Then, the administrator shares the file system.

# zfs set sharenfs=on rpool/reference

The administrator leaves the public workspace and returns to the Trusted Path workspace. Because users are not allowed to log in to this file server, the administrator shares the file system by putting the zone in the ready state:

# zoneadm -z public ready

Users can access the shared file system once it is mounted on the users' systems.

How to NFS Mount Files in a Labeled Zone

In Trusted Extensions, a labeled zone manages the mounting of files in its zone. File systems from unlabeled and labeled hosts can be mounted on a Trusted Extensions labeled system. The system must have a route to the file server at the label of the mounting zone.

Trusted Extensions uses the same mounting interfaces as Oracle Solaris:

Before You Begin

You must be on the client system, in the zone at the label of the files that you want to mount. Verify that the file system that you want to mount is shared. Unless you are using the automounter, you must be assigned the File System Management rights profile. To mount from lower-level servers, the zone on this client must be configured with the net_mac_aware privilege.

How to Troubleshoot Mount Failures in Trusted Extensions

Before You Begin

You must be in the zone at the label of the file system that you want to mount. You must be the root role.

  1. Verify that the file systems on the NFS server are shared.
  2. Check the security attributes of the NFS server.
    1. Use the tninfo or tncfg command to find the IP address of the server or a range of IP addresses that includes the NFS server.

      The address might be directly assigned, or indirectly assigned through a wildcard mechanism. The address can be in a labeled or unlabeled template.

    2. Check the label that the template assigns to the NFS server.

      The label must be consistent with the label at which you are trying to mount the files.

  3. Check the label of the current zone.

    If the label is higher than the label of the mounted file system, then you cannot write to the mount even if the remote file system is exported with read/write permissions. You can only write to the mounted file system at the label of the mount.

  4. To mount file systems from an NFS server that is running earlier versions of Trusted Solaris software, do the following:
    • For a Trusted Solaris 1 NFS server, use the vers=2 and proto=udp options to the mount command.
    • For a Trusted Solaris 2.5.1 NFS server, use the vers=2 and proto=udp options to the mount command.
    • For a Trusted Solaris 8 NFS server, use the vers=3 and proto=udp options to the mount command.

    To mount file systems from any of these servers, the server must be assigned to an unlabeled template.