JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

Zones in Trusted Extensions

Zones and IP Addresses in Trusted Extensions

Zones and Multilevel Ports

Zones and ICMP in Trusted Extensions

Global Zone Processes and Labeled Zones

Primary and Secondary Labeled Zones

Zone Administration Utilities in Trusted Extensions

Managing Zones (Task Map)

How to Display Ready or Running Zones

How to Display the Labels of Mounted Files

How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone

How to Disable the Mounting of Lower-Level Files

How to Share a ZFS Dataset From a Labeled Zone

How to Enable Files to Be Relabeled From a Labeled Zone

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Managing Zones (Task Map)

The following task map describes zone management tasks that are specific to Trusted Extensions. The map also links to common procedures that are performed in Trusted Extensions just as they are performed on an Oracle Solaris system.

Task
Description
For Instructions
View all zones.
At any label, views the zones that are dominated by the current zone.
View mounted directories.
At any label, views the directories that are dominated by the current label.
Enable regular users to view an /etc file.
Loopback mounts a directory or file from the global zone that is not visible by default in a labeled zone.
Prevent regular users from viewing a lower-level home directory from a higher label.
By default, lower-level directories are visible from higher-level zones. When you disable the mounting of one lower-level zone, you disable all mounts of lower-level zones.
Create a multilevel dataset for the changing of the labels on files.
Enables the relabeling of files in one ZFS dataset, no privilege required.
Configure a zone to enable the changing of the labels on files.
By default, labeled zones do not have the privilege that enables an authorized user to relabel a file. You modify the zone configuration to add the privilege.
Attach a ZFS dataset to a labeled zone and share it.
Mounts a ZFS dataset with read/write permissions in a labeled zone and shares the dataset read-only with a higher zone.
Configure a new primary zone.
Creates a zone at a label that is not currently being used to label a zone on this system.
Configure a secondary zone.
Creates a zone for isolating services that do not require a desktop.
Create a multilevel port for an application.
Multilevel ports are useful for programs that require a multilevel feed into a labeled zone.
Troubleshoot NFS mount and access problems.
Debugs general access issues for mounts and possibly for zones.
Remove a labeled zone.
Completely removes a labeled zone from the system.

How to Display Ready or Running Zones

Before You Begin

You must be in the System Administrator role in the global zone.

  1. Run the txzonemgr & command.

    The zone names, their status, and their labels are displayed in a GUI.

  2. Or, use the zoneadm list -v command
    # zoneadm list -v
    ID NAME       STATUS     PATH              BRAND       IP 
     0 global     running    /                 ipkg        shared
     5 internal   running    /zone/internal    labeled     shared
     6 public     running    /zone/public      labeled     shared

    The output does not list the labels of the zones.

How to Display the Labels of Mounted Files

This procedure creates a shell script that displays the mounted file systems of the current zone. When run from the global zone, the script displays the labels of all mounted file systems in every zone.

Before You Begin

You must be in the System Administrator role in the global zone.

  1. In an editor, create the getmounts script.

    Provide the pathname to the script, such as /usr/local/scripts/getmounts.

  2. Add the following content and save the file:
    #!/bin/sh
    #
    for i in `/usr/sbin/mount -p | cut -d " " -f3` ; do
            /usr/bin/getlabel $i
    done
  3. Test the script in the global zone.
    # /usr/local/scripts/getmounts
    /:      ADMIN_HIGH
    /dev:   ADMIN_HIGH
    /system/contract:        ADMIN_HIGH
    /proc:                   ADMIN_HIGH
    /system/volatile:        ADMIN_HIGH
    /system/object:          ADMIN_HIGH
    /lib/libc.so.1:          ADMIN_HIGH
    /dev/fd:        ADMIN_HIGH
    /tmp:           ADMIN_HIGH
    /etc/mnttab:    ADMIN_HIGH
    /export:        ADMIN_HIGH
    /export/home:   ADMIN_HIGH
    /export/home/jdoe:   ADMIN_HIGH
    /zone/public:        ADMIN_HIGH
    /rpool:              ADMIN_HIGH
    /zone:               ADMIN_HIGH
    /home/jdoe:          ADMIN_HIGH
    /zone/public:        ADMIN_HIGH
    /zone/snapshot:      ADMIN_HIGH
    /zone/internal:      ADMIN_HIGH
    ...

Example 13-1 Displaying the Labels of File Systems in the restricted Zone

When run from a labeled zone by a regular user, the getmounts script displays the labels of all the mounted file systems in that zone. On a system where zones are created for every label in the default label_encodings file, the following is sample output from the restricted zone:

# /usr/local/scripts/getmounts
/:      CONFIDENTIAL : RESTRICTED
/dev:   CONFIDENTIAL : RESTRICTED
/kernel:        ADMIN_LOW
/lib:   ADMIN_LOW
/opt:   ADMIN_LOW
/platform:      ADMIN_LOW
/sbin:  ADMIN_LOW
/usr:   ADMIN_LOW
/var/tsol/doors:        ADMIN_LOW
/zone/needtoknow/export/home:   CONFIDENTIAL : NEED TO KNOW
/zone/internal/export/home:     CONFIDENTIAL : INTERNAL USE ONLY
/proc:  CONFIDENTIAL : RESTRICTED
/system/contract:       CONFIDENTIAL : RESTRICTED
/etc/svc/volatile:      CONFIDENTIAL : RESTRICTED
/etc/mnttab:    CONFIDENTIAL : RESTRICTED
/dev/fd:        CONFIDENTIAL : RESTRICTED
/tmp:   CONFIDENTIAL : RESTRICTED
/var/run:       CONFIDENTIAL : RESTRICTED
/zone/public/export/home:       PUBLIC
/home/jdoe:   CONFIDENTIAL : RESTRICTED

How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone

This procedure enables a user in a specified labeled zone to view files that are not exported from the global zone by default.

Before You Begin

You must be in the System Administrator role in the global zone.

  1. Halt the zone whose configuration you want to change.
    # zoneadm -z zone-name halt
  2. Loopback mount a file or directory.

    For example, enable ordinary users to view a file in the /etc directory.

    # zonecfg -z zone-name
     add filesystem
     set special=/etc/filename
     set directory=/etc/filename
     set type=lofs
     add options [ro,nodevices,nosetuid]
     end
     exit
  3. Start the zone.
    # zoneadm -z zone-name boot

Example 13-2 Loopback Mounting the /etc/passwd file

In this example, the security administrator wants to enable testers and programmers to check that their local passwords are set. After the sandbox zone is halted, it is configured to loopback mount the passwd file. Then, the zone is restarted.

# zoneadm -z sandbox halt
# zonecfg -z sandbox
 add filesystem
    set special=/etc/passwd
    set directory=/etc/passwd
    set type=lofs
    add options [ro,nodevices,nosetuid]
 end
 exit
# zoneadm -z sandbox boot

How to Disable the Mounting of Lower-Level Files

By default, users can view lower-level files. Remove the net_mac_aware privilege to prevent the viewing of all lower-level files from a particular zone. For a description of the net_mac_aware privilege, see the privileges(5) man page.

Before You Begin

You must be in the System Administrator role in the global zone.

  1. Halt the zone whose configuration you want to change.
    # zoneadm -z zone-name halt
  2. Configure the zone to prevent the viewing of lower-level files.

    Remove the net_mac_aware privilege from the zone.

    # zonecfg -z zone-name
     set limitpriv=default,!net_mac_aware
     exit
  3. Restart the zone.
    # zoneadm -z zone-name boot

Example 13-3 Preventing Users From Viewing Lower-Level Files

In this example, the security administrator wants to prevent users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.

# zoneadm -z restricted halt
# zonecfg -z restricted
 set limitpriv=default,!net_mac_aware
 exit
# zoneadm -z restricted boot
# zoneadm -z needtoknow halt
# zonecfg -z needtoknow
 set limitpriv=default,!net_mac_aware
 exit
# zoneadm -z needtoknow boot
# zoneadm -z internal halt
# zonecfg -z internal
 set limitpriv=default,!net_mac_aware
 exit
# zoneadm -z internal boot

Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.

How to Share a ZFS Dataset From a Labeled Zone

In this procedure, you mount a ZFS dataset with read/write permissions in a labeled zone. Because all commands are executed in the global zone, the global zone administrator controls the addition of ZFS datasets to labeled zones.

At a minimum, the labeled zone must be in the ready state to share a dataset. The zone can be in the running state.

Before You Begin

To configure the zone with the dataset, you must first halt the zone. You must be in the root role in the global zone.

  1. Create the ZFS dataset.
    # zfs create datasetdir/subdir

    The name of the dataset can include a directory, such as zone/data.

  2. In the global zone, halt the labeled zone.
    # zoneadm -z labeled-zone-name halt
  3. Set the mount point of the dataset.
    # zfs set mountpoint=legacy datasetdir/subdir

    Setting the ZFS mountpoint property sets the label of the mount point when the mount point corresponds to a labeled zone.

  4. Enable the dataset to be shared.
    # zfs set sharenfs=on datasetdir/subdir
  5. Add the dataset to the zone as a file system.
    # zonecfg -z labeled-zone-name
    # zonecfg:labeled-zone-name> add fs
    # zonecfg:labeled-zone-name:dataset> set dir=/subdir
    # zonecfg:labeled-zone-name:dataset> set special=datasetdir/subdir
    # zonecfg:labeled-zone-name:dataset> set type=zfs
    # zonecfg:labeled-zone-name:dataset> end
    # zonecfg:labeled-zone-name> exit

    By adding the dataset as a file system, the dataset is mounted at /data in the zone. This step ensures that the dataset is not mounted before the zone is booted.

  6. Boot the labeled zone.
    # zoneadm -z labeled-zone-name boot

    When the zone is booted, the dataset is mounted automatically as a read/write mount point in the labeled-zone-name zone with the label of the labeled-zone-name zone.

Example 13-4 Sharing and Mounting a ZFS Dataset From Labeled Zones

In this example, the administrator adds a ZFS dataset to the needtoknow zone and shares the dataset. The dataset, zone/data, is currently assigned to the /mnt mount point. Users in the restricted zone can view the dataset.

First, the administrator halts the zone.

# zoneadm -z needtoknow halt

Because the dataset is currently assigned to a different mount point, the administrator removes the previous assignment, then sets the new mount point.

# zfs set zoned=off zone/data
# zfs set mountpoint=legacy zone/data

Then, the administrator shares the dataset.

# zfs set sharenfs=on zone/data

Next, in the zonecfg interactive interface, the administrator explicitly adds the dataset to the needtoknow zone.

# zonecfg -z needtoknow
# zonecfg:needtoknow> add fs
# zonecfg:needtoknow:dataset> set dir=/data
# zonecfg:needtoknow:dataset> set special=zone/data
# zonecfg:needtoknow:dataset> set type=zfs
# zonecfg:needtoknow:dataset> end
# zonecfg:needtoknow> exit

Next, the administrator boots the needtoknow zone.

# zoneadm -z needtoknow boot

The dataset is now accessible.

Users in the restricted zone, which dominates the needtoknow zone, can view the mounted dataset by changing to the /data directory. They use the full path to the mounted dataset from the perspective of the global zone. In this example, machine1 is the host name of the system that includes the labeled zone. The administrator assigned this host name to a non-shared IP address.

# cd /net/machine1/zone/needtoknow/root/data

Troubleshooting

If the attempt to reach the dataset from the higher label returns the error not found or No such file or directory, the administrator must restart the automounter service by running the svcadm restart autofs command.

How to Enable Files to Be Relabeled From a Labeled Zone

This procedure is a prerequisite for a user to be able to relabel files.

Before You Begin

The zone you plan to configure must be halted. You must be in the Security Administrator role in the global zone.

  1. Open the Labeled Zone Manager.
    # /usr/sbin/txzonemgr &
  2. Configure the zone to enable relabeling.
    1. Double-click the zone.
    2. From the list, select Permit Relabeling.
  3. Select Boot to restart the zone.
  4. Click Cancel to return to the zone list.

    For the user and process requirements that permit relabeling, see the setflabel(3TSOL) man page. To authorize a user to relabel files, see How to Enable a User to Change the Security Level of Data.

Example 13-5 Permitting Downgrades Only From the internal Zone

In this example, the security administrator uses the zonecfg command to enable the downgrading of information but not the upgrading of information from the CNF: INTERNAL USE ONLY zone.

# zonecfg -z internal set limitpriv=default,file_downgrade_sl

Example 13-6 Preventing Downgrades From the internal Zone

In this example, the security administrator wants to prevent the downgrade of CNF: INTERNAL USE ONLY files on a system that previously was used to downgrade files.

The administrator uses the Labeled Zone Manager to halt the internal zone, then selects Deny Relabeling from the internal zone menu.