| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
Trusted Extensions Policies for Mounted File Systems
Trusted Extensions Policy for Single-Level Datasets
Trusted Extensions Policy for Multilevel Datasets
No Privilege Overrides for MAC Read-Write Policy
Results of Sharing and Mounting File Systems in Trusted Extensions
Sharing and Mounting Files in the Global Zone
Sharing and Mounting Files in a Labeled Zone
mlslabel Property and Mounting Single-Level File Systems
Multilevel Datasets for Relabeling Files
Mounting Multilevel Datasets From Another System
NFS Server and Client Configuration in Trusted Extensions
Home Directory Creation in Trusted Extensions
Changes to the Automounter in Trusted Extensions
Trusted Extensions Software and NFS Protocol Versions
Backing Up, Sharing, and Mounting Labeled Files (Task Map)
How to Back Up Files in Trusted Extensions
How to Restore Files in Trusted Extensions
How to Share File Systems From a Labeled Zone
How to NFS Mount Files in a Labeled Zone
How to Troubleshoot Mount Failures in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
In Trusted Extensions, two kinds of ZFS datasets can be mounted.
A single-level labeled dataset has the same label as the zone in which the data resides or is mounted. All files and directories in a single-level dataset are at the same label. These datasets are the typical datasets in Trusted Extensions.
A multilevel dataset can contain files and directories at different labels. Such a dataset is efficient for serving NFS clients at many different labels, and can streamline the process of relabeling of files.
The following mounts are possible in Trusted Extensions:
ZFS mounts – Multilevel datasets that the administrator creates can be ZFS-mounted in the global zone. A ZFS-mounted multilevel dataset can be LOFS-mounted into labeled zones on the same system.
Single-level datasets can also be created and ZFS-mounted by administrators in labeled zones.
LOFS mounts – As stated in the preceding paragraph, the global zone can LOFS mount a single-level dataset into a labeled zone. The label of the mount is ADMIN_LOW, therefore, all mounted files are read-only in the labeled zone.
The global zone can also LOFS mount a multilevel dataset into a labeled zone. The mounted files that are the same label as the zone can be modified. With appropriate permissions, the files can be relabeled. Mounted files that are at a level lower than the label of the zone can be viewed.
NFS mounts – Labeled zones can mount single-level datasets at the label of the zone. These files can originate from another labeled zone or from an untrusted system that is assigned the same label as the labeled zone.
A global zone can NFS mount a multilevel dataset from another Trusted Extensions system. The mounted files can be viewed and modified, but not relabeled. Also, only files and directories at the label of the mounting zone return the correct label.
A labeled zone can NFS mount a multilevel dataset from another Trusted Extensions system. NFS-mounted files cannot be relabeled, and the label of the files cannot be determined by the getlabel command. However, MAC policy works correctly. The mounted files that are at the same label as the zone can be viewed and modified. Lower-level files can be viewed.
|