Managing Zones (Task Map)

The following task map describes zone management tasks that are specific to Trusted Extensions. The map also links to common procedures that are performed in Trusted Extensions just as they are performed on an Oracle Solaris system.

Task	Description	For Instructions
View all zones.	At any label, views the zones that are dominated by the current zone.	How to Display Ready or Running Zones
View mounted directories.	At any label, views the directories that are dominated by the current label.	How to Display the Labels of Mounted Files
Enable regular users to view an `/etc` file.	Loopback mounts a directory or file from the global zone that is not visible by default in a labeled zone.	How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone
Prevent regular users from viewing a lower-level home directory from a higher label.	By default, lower-level directories are visible from higher-level zones. When you disable the mounting of one lower-level zone, you disable all mounts of lower-level zones.	How to Disable the Mounting of Lower-Level Files
Create a multilevel dataset for the changing of the labels on files.	Enables the relabeling of files in one ZFS dataset, no privilege required.	How to Create and Share a Multilevel Dataset
Configure a zone to enable the changing of the labels on files.	By default, labeled zones do not have the privilege that enables an authorized user to relabel a file. You modify the zone configuration to add the privilege.	How to Enable Files to Be Relabeled From a Labeled Zone
Attach a ZFS dataset to a labeled zone and share it.	Mounts a ZFS dataset with read/write permissions in a labeled zone and shares the dataset read-only with a higher zone.	How to Share a ZFS Dataset From a Labeled Zone.
Configure a new primary zone.	Creates a zone at a label that is not currently being used to label a zone on this system.	See How to Create Labeled Zones Interactively.
Configure a secondary zone.	Creates a zone for isolating services that do not require a desktop.	How to Create a Secondary Labeled Zone.
Create a multilevel port for an application.	Multilevel ports are useful for programs that require a multilevel feed into a labeled zone.	How to Create a Multilevel Port for a Zone Example 16-19
Troubleshoot NFS mount and access problems.	Debugs general access issues for mounts and possibly for zones.	How to Troubleshoot Mount Failures in Trusted Extensions
Remove a labeled zone.	Completely removes a labeled zone from the system.	How to Remove a Non-Global Zone in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management

How to Display Ready or Running Zones

Before You Begin

You must be in the System Administrator role in the global zone.

Run the txzonemgr & command.
The zone names, their status, and their labels are displayed in a GUI.

Or, use the zoneadm list -v command

# zoneadm list -v
ID NAME       STATUS     PATH              BRAND       IP 
 0 global     running    /                 ipkg        shared
 5 internal   running    /zone/internal    labeled     shared
 6 public     running    /zone/public      labeled     shared

The output does not list the labels of the zones.

How to Display the Labels of Mounted Files

This procedure creates a shell script that displays the mounted file systems of the current zone. When run from the global zone, the script displays the labels of all mounted file systems in every zone.

Before You Begin

You must be in the System Administrator role in the global zone.

In an editor, create the getmounts script.
Provide the pathname to the script, such as /usr/local/scripts/getmounts.

Add the following content and save the file:

#!/bin/sh
#
for i in `/usr/sbin/mount -p | cut -d " " -f3` ; do
        /usr/bin/getlabel $i
done

Test the script in the global zone.

# /usr/local/scripts/getmounts
/:      ADMIN_HIGH
/dev:   ADMIN_HIGH
/system/contract:        ADMIN_HIGH
/proc:                   ADMIN_HIGH
/system/volatile:        ADMIN_HIGH
/system/object:          ADMIN_HIGH
/lib/libc.so.1:          ADMIN_HIGH
/dev/fd:        ADMIN_HIGH
/tmp:           ADMIN_HIGH
/etc/mnttab:    ADMIN_HIGH
/export:        ADMIN_HIGH
/export/home:   ADMIN_HIGH
/export/home/jdoe:   ADMIN_HIGH
/zone/public:        ADMIN_HIGH
/rpool:              ADMIN_HIGH
/zone:               ADMIN_HIGH
/home/jdoe:          ADMIN_HIGH
/zone/public:        ADMIN_HIGH
/zone/snapshot:      ADMIN_HIGH
/zone/internal:      ADMIN_HIGH
...

Example 13-1 Displaying the Labels of File Systems in the restricted Zone

When run from a labeled zone by a regular user, the getmounts script displays the labels of all the mounted file systems in that zone. On a system where zones are created for every label in the default label_encodings file, the following is sample output from the restricted zone:

# /usr/local/scripts/getmounts
/:      CONFIDENTIAL : RESTRICTED
/dev:   CONFIDENTIAL : RESTRICTED
/kernel:        ADMIN_LOW
/lib:   ADMIN_LOW
/opt:   ADMIN_LOW
/platform:      ADMIN_LOW
/sbin:  ADMIN_LOW
/usr:   ADMIN_LOW
/var/tsol/doors:        ADMIN_LOW
/zone/needtoknow/export/home:   CONFIDENTIAL : NEED TO KNOW
/zone/internal/export/home:     CONFIDENTIAL : INTERNAL USE ONLY
/proc:  CONFIDENTIAL : RESTRICTED
/system/contract:       CONFIDENTIAL : RESTRICTED
/etc/svc/volatile:      CONFIDENTIAL : RESTRICTED
/etc/mnttab:    CONFIDENTIAL : RESTRICTED
/dev/fd:        CONFIDENTIAL : RESTRICTED
/tmp:   CONFIDENTIAL : RESTRICTED
/var/run:       CONFIDENTIAL : RESTRICTED
/zone/public/export/home:       PUBLIC
/home/jdoe:   CONFIDENTIAL : RESTRICTED

How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone

This procedure enables a user in a specified labeled zone to view files that are not exported from the global zone by default.

Before You Begin

You must be in the System Administrator role in the global zone.

Halt the zone whose configuration you want to change.
```
# zoneadm -z zone-name halt
```

Loopback mount a file or directory.

For example, enable ordinary users to view a file in the /etc directory.

# zonecfg -z zone-name
 add filesystem
 set special=/etc/filename
 set directory=/etc/filename
 set type=lofs
 add options [ro,nodevices,nosetuid]
 end
 exit

Start the zone.
```
# zoneadm -z zone-name boot
```

Example 13-2 Loopback Mounting the /etc/passwd file

In this example, the security administrator wants to enable testers and programmers to check that their local passwords are set. After the sandbox zone is halted, it is configured to loopback mount the passwd file. Then, the zone is restarted.

# zoneadm -z sandbox halt
# zonecfg -z sandbox
 add filesystem
    set special=/etc/passwd
    set directory=/etc/passwd
    set type=lofs
    add options [ro,nodevices,nosetuid]
 end
 exit
# zoneadm -z sandbox boot

How to Disable the Mounting of Lower-Level Files

By default, users can view lower-level files. Remove the net_mac_aware privilege to prevent the viewing of all lower-level files from a particular zone. For a description of the net_mac_aware privilege, see the privileges(5) man page.

Before You Begin

You must be in the System Administrator role in the global zone.

Halt the zone whose configuration you want to change.
```
# zoneadm -z zone-name halt
```
Configure the zone to prevent the viewing of lower-level files.
Remove the net_mac_aware privilege from the zone.
```
# zonecfg -z zone-name
 set limitpriv=default,!net_mac_aware
 exit
```
Restart the zone.
```
# zoneadm -z zone-name boot
```

Example 13-3 Preventing Users From Viewing Lower-Level Files

In this example, the security administrator wants to prevent users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.

# zoneadm -z restricted halt
# zonecfg -z restricted
 set limitpriv=default,!net_mac_aware
 exit
# zoneadm -z restricted boot

# zoneadm -z needtoknow halt
# zonecfg -z needtoknow
 set limitpriv=default,!net_mac_aware
 exit
# zoneadm -z needtoknow boot

# zoneadm -z internal halt
# zonecfg -z internal
 set limitpriv=default,!net_mac_aware
 exit
# zoneadm -z internal boot

Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.

How to Share a ZFS Dataset From a Labeled Zone

In this procedure, you mount a ZFS dataset with read/write permissions in a labeled zone. Because all commands are executed in the global zone, the global zone administrator controls the addition of ZFS datasets to labeled zones.

At a minimum, the labeled zone must be in the ready state to share a dataset. The zone can be in the running state.

Before You Begin

To configure the zone with the dataset, you must first halt the zone. You must be in the root role in the global zone.

Create the ZFS dataset.
```
# zfs create datasetdir/subdir
```
The name of the dataset can include a directory, such as zone/data.
In the global zone, halt the labeled zone.
```
# zoneadm -z labeled-zone-name halt
```
Set the mount point of the dataset.
```
# zfs set mountpoint=legacy datasetdir/subdir
```
Setting the ZFS mountpoint property sets the label of the mount point when the mount point corresponds to a labeled zone.
Enable the dataset to be shared.
```
# zfs set sharenfs=on datasetdir/subdir
```

Add the dataset to the zone as a file system.

# zonecfg -z labeled-zone-name
# zonecfg:labeled-zone-name> add fs
# zonecfg:labeled-zone-name:dataset> set dir=/subdir
# zonecfg:labeled-zone-name:dataset> set special=datasetdir/subdir
# zonecfg:labeled-zone-name:dataset> set type=zfs
# zonecfg:labeled-zone-name:dataset> end
# zonecfg:labeled-zone-name> exit

By adding the dataset as a file system, the dataset is mounted at /data in the zone. This step ensures that the dataset is not mounted before the zone is booted.

Boot the labeled zone.
```
# zoneadm -z labeled-zone-name boot
```
When the zone is booted, the dataset is mounted automatically as a read/write mount point in the labeled-zone-name zone with the label of the labeled-zone-name zone.

Example 13-4 Sharing and Mounting a ZFS Dataset From Labeled Zones

In this example, the administrator adds a ZFS dataset to the needtoknow zone and shares the dataset. The dataset, zone/data, is currently assigned to the /mnt mount point. Users in the restricted zone can view the dataset.

First, the administrator halts the zone.

# zoneadm -z needtoknow halt

Because the dataset is currently assigned to a different mount point, the administrator removes the previous assignment, then sets the new mount point.

# zfs set zoned=off zone/data
# zfs set mountpoint=legacy zone/data

Then, the administrator shares the dataset.

# zfs set sharenfs=on zone/data

Next, in the zonecfg interactive interface, the administrator explicitly adds the dataset to the needtoknow zone.

# zonecfg -z needtoknow
# zonecfg:needtoknow> add fs
# zonecfg:needtoknow:dataset> set dir=/data
# zonecfg:needtoknow:dataset> set special=zone/data
# zonecfg:needtoknow:dataset> set type=zfs
# zonecfg:needtoknow:dataset> end
# zonecfg:needtoknow> exit

Next, the administrator boots the needtoknow zone.

# zoneadm -z needtoknow boot

The dataset is now accessible.

Users in the restricted zone, which dominates the needtoknow zone, can view the mounted dataset by changing to the /data directory. They use the full path to the mounted dataset from the perspective of the global zone. In this example, machine1 is the host name of the system that includes the labeled zone. The administrator assigned this host name to a non-shared IP address.

# cd /net/machine1/zone/needtoknow/root/data

Troubleshooting

If the attempt to reach the dataset from the higher label returns the error not found or No such file or directory, the administrator must restart the automounter service by running the svcadm restart autofs command.

How to Enable Files to Be Relabeled From a Labeled Zone

This procedure is a prerequisite for a user to be able to relabel files.

Before You Begin

The zone you plan to configure must be halted. You must be in the Security Administrator role in the global zone.

Open the Labeled Zone Manager.
```
# /usr/sbin/txzonemgr &
```
Configure the zone to enable relabeling.
1. Double-click the zone.
2. From the list, select Permit Relabeling.
Select Boot to restart the zone.
Click Cancel to return to the zone list.
For the user and process requirements that permit relabeling, see the setflabel(3TSOL) man page. To authorize a user to relabel files, see How to Enable a User to Change the Security Level of Data.

Example 13-5 Permitting Downgrades Only From the internal Zone

In this example, the security administrator uses the zonecfg command to enable the downgrading of information but not the upgrading of information from the CNF: INTERNAL USE ONLY zone.

# zonecfg -z internal set limitpriv=default,file_downgrade_sl

Example 13-6 Preventing Downgrades From the internal Zone

In this example, the security administrator wants to prevent the downgrade of CNF: INTERNAL USE ONLY files on a system that previously was used to downgrade files.

The administrator uses the Labeled Zone Manager to halt the internal zone, then selects Deny Relabeling from the internal zone menu.

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library