Skip Navigation Links | |
Exit Print View | |
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
Global Zone Processes and Labeled Zones
Primary and Secondary Labeled Zones
Zone Administration Utilities in Trusted Extensions
How to Display Ready or Running Zones
How to Display the Labels of Mounted Files
How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone
How to Disable the Mounting of Lower-Level Files
How to Share a ZFS Dataset From a Labeled Zone
How to Enable Files to Be Relabeled From a Labeled Zone
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
A properly configured Trusted Extensions system consists of a global zone, which is the operating system instance, and one or more labeled non-global zones. During configuration, Trusted Extensions attaches a label to each zone, which creates labeled zones. The labels come from the label_encodings file. You can create one or more zones for each label, but are not required to. It is possible to have more labels than labeled zones on a system.
On a Trusted Extensions system, the global zone is solely an administrative zone. The labeled zones are for regular users. Users can work in a zone whose label is within the user's accreditation range.
On a Trusted Extensions system, all zones have a brand of labeled and all writable files and directories in a labeled zone are at the label of the zone. By default, a user can view files that are in a zone at a lower label than the user's current label. This configuration enables users to view their home directories at lower labels than the label of the current workspace. Although users can view files at a lower label, they cannot modify them. Users can only modify files from a process that has the same label as the file.
Each zone is a discrete ZFS file system. Every zone can have an associated IP address and security attributes. A zone can be configured with multilevel ports (MLPs). Also, a zone can be configured with a policy for Internet Control Message Protocol (ICMP) broadcasts, such as ping.
For information about sharing directories from a labeled zone and about mounting directories from labeled zones remotely, see Chapter 14, Managing and Mounting Files in Trusted Extensions and mlslabel Property and Mounting Single-Level File Systems.
Zones in Trusted Extensions are built on the Oracle Solaris Zones product. For reference, see Part II, Oracle Solaris Zones, in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
Your initial setup team assigned IP addresses to the global zone and the labeled zones. They considered three types of configurations as described in Access to Labeled Zones and summarized as follows:
The system has one IP address for the global zone and all labeled zones.
This default configuration is useful on a system that uses DHCP software to obtain its IP address.
The system has one IP address for the global zone, and one IP address that is shared by all zones, including the global zone. Any zone can have a combination of a unique address and a shared address.
This configuration is useful on a networked system that regular users are going to log in to. It can also be used for a printer or an NFS server. This configuration conserves IP addresses.
The system has one IP address for the global zone, and each labeled zone has a unique IP address.
This configuration is useful for providing access to separate physical networks of single-level systems. Typically, each zone would have an IP address on a different physical network from the other labeled zones. Because this configuration is implemented with a single IP instance, the global zone controls the physical interfaces and manages global resources, such as the route table.
A fourth type of configuration for a non-global zone is available in Oracle Solaris, exclusive IP instances. In this configuration, a non-global zone is assigned its own IP instance and manages its own physical interfaces. Each zone operates as if it is a distinct system. For a description, see Zone Network Interfaces in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
If you configure exclusive IP instances in Trusted Extensions, each labeled zone operates as if it is a distinct single-level system. The multilevel networking features of Trusted Extensions rely on features of a shared IP stack. This guide assumes that networking is controlled entirely by the global zone. Therefore, if your initial setup team has installed labeled zones with exclusive IP instances, you must provide or refer to site-specific documentation.
By default, a zone cannot send packets to and receive packets from any other zone. Multilevel ports (MLPs) enable particular services on a port to accept requests within a range of labels or from a set of labels. These privileged services can reply at the label of the request. For example, you might want to create a privileged web browser port that can listen at all labels, but whose replies are restricted by label. By default, labeled zones have no MLPs.
The range of labels or set of labels that constrains the packets that the MLP can accept is based on the zone's IP address. The IP address is assigned a security template by communicating Trusted Extensions systems. The label range or set of labels in the security template constrains the packets that the MLP can accept.
The constraints on MLPs for different IP address configurations are as follows:
On a system where the global zone has an IP address and each labeled zone has a unique IP address, an MLP for a particular service can be added to every zone. For example, the system could be configured so that the ssh service, over TCP port 22, is an MLP in the global zone and in every labeled zone.
In a typical configuration, the global zone is assigned one IP address and labeled zones share a second IP address with the global zone. When an MLP is added to a shared interface, the service packet is routed to the labeled zone where the MLP is defined. The packet is accepted only if the label range of the remote host template for the labeled zone includes the label of the packet. If the range is ADMIN_LOW to ADMIN_HIGH, then all packets are accepted. A narrower range would discard packets that are not within the range.
At most, one zone can define a particular port to be an MLP on a shared interface. In the preceding scenario, where the ssh port is configured as a shared MLP in a non-global zone, no other zone can receive ssh connections on the shared address. However, the global zone could define the ssh port as a private MLP for receipt of connections on its zone-specific address.
In the default configuration, where the global zone and the labeled zones share an IP address, an MLP for the ssh service could be added to one zone. If the MLP for ssh is added to the global zone, then no labeled zone can add an MLP for the ssh service. Similarly, if the MLP for the ssh service is added to a labeled zone, then the global zone cannot be configured with an ssh MLP.
For an example, see How to Create a Multilevel Port for a Zone.
Networks transmit broadcast messages and send ICMP packets to systems on the network. On a multilevel system, these transmissions could flood the system at every label. By default, the network policy for labeled zones requires that ICMP packets be received only at the matching label.