Creating Labeled Zones

The instructions in this section configure labeled zones. You have the option of creating two labeled zones automatically or manually creating zones.

Note - If you plan to use LDAP, go to Chapter 5, Configuring LDAP for Trusted Extensions (Tasks). You must configure LDAP before you create labeled zones.

Task	Description	For Instructions
1a. Create a default Trusted Extensions configuration.	The `txzonemgr -c` command creates two labeled zones from the `label_encodings` file.	How to Create a Default Trusted Extensions System
1b. Create a default Trusted Extensions configuration by using a GUI.	The `txzonemgr` script creates a GUI that presents the appropriate tasks as you configure your system.	How to Create Labeled Zones Interactively
1c. Manually step through zone creation.	The `txzonemgr` script creates a GUI that presents the appropriate tasks as you configure your system.	How to Create Labeled Zones Interactively
2. Create a working labeled environment.	In the default configuration, label two workspaces as `PUBLIC` and `INTERNAL USE ONLY`.	How to Assign Labels to Two Zone Workspaces
3. (Optional) Link to other systems on your network.	Configure labeled zone network interfaces and connect the global zone and labeled zones to other systems.	Configuring the Network Interfaces in Trusted Extensions

How to Create a Default Trusted Extensions System

This procedure creates a working Trusted Extensions system with two labeled zones. Remote hosts have not been assigned to the system's security templates, so this system cannot communicate with any remote hosts.

Before You Begin

You have completed Log In to Trusted Extensions. You have assumed the root role.

Open a terminal window in the fourth workspace.
(Optional) Review the txzonemgr man page.
```
# man txzonemgr
```
Create a default configuration.
```
# /usr/sbin/txzonemgr -c
```
This command copies the Oracle Solaris OS and Trusted Extensions software to a zone, creates a snapshot of the zone, labels the original zone, then uses the snapshot to create a second labeled zone. The zones are booted.
- The first labeled zone is based on the value of Default User Sensitivity Label in the label_encodings file.
- The second labeled zone is based on the value of Default User Clearance in the label_encodings file.
This step can take about 20 minutes. To install the zones, the script uses the root password from the global zone for the labeled zones.

Next Steps

To use your Trusted Extensions configuration, go to How to Assign Labels to Two Zone Workspaces.

How to Create Labeled Zones Interactively

You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system. In this procedure, you create two labeled zones. If you are using the Trusted Extensions label_encodings file, you create the default Trusted Extensions configuration.

Before You Begin

You have completed Log In to Trusted Extensions. You have assumed the root role.

You have not created a zone yet.

Run the txzonemgr command without any options.
```
# txzonemgr &
```
The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your configuration.
To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.

Tip - To view the current state of zone completion, click Return to Main Menu in the Labeled Zone Manager. Or, you can click the Cancel button.
Install the zones by choosing one of the following methods:
- To create two labeled zones, select public and internal zones from the dialog box.
  - The first labeled zone is based on the value of Default User Sensitivity Label in the label_encodings file.
  - The second labeled zone is based on the value of Default User Clearance in the label_encodings file
  1. Answer the prompt to identify the system.
    If the public zone uses an exclusive IP stack, or if it has an IP address which is defined in DNS, use the hostname as defined in DNS. Otherwise, use the name of the system.
  2. Do not answer the prompt for a root password.
    The root password was set at system installation. The input to this prompt will fail.
  3. At the zone login prompt, type your user login and password.
    Then, verify that all services are configured by running the svcs -x command. If no messages display, all services are configured.
  4. Log out of the zone and close the window.
    Type exit at the prompt, and choose Close window from the Zone Console.
    In another window, the installation of the second zone completes. This zone is built from a snapshot, so it builds quickly.
  5. Log in to the second zone console and verify that all services are running.
```
# svcs -x
#
```
    If no messages display, all services are configured. The Labeled Zone Manager is visible.
  6. Double-click the internal zone in the Labeled Zone Manager.
    Select Reboot, then click the Cancel button to return to the main screen. All zones are running. The unlabeled snapshot is not running.
- To manually create zones, select Main Menu, and then, Create a Zone.
  Follow the prompts. The GUI steps you through zone creation.
  After the zone is created and booted, you can return to the global zone to create more zones. These zones are created from a snapshot.

Example 4-2 Creating Another Labeled Zone

In this example, the administrator creates a restricted zone from the default label_encodings file.

First, the administrator opens the txzonemgr script in interactive mode.

# txzonemgr &

Then, the administrator navigates to the global zone and creates a zone with the name restricted.

Create a new zone:restricted

Then, the administrator applies the correct label.

Select label:CNF : RESTRICTED

From the list, the administrator selects the Clone option and then selects snapshot as the template for the new zone.

After the restricted zone is available, the administrator clicks Boot to boot the second zone.

To enable access to the restricted zone, the administrator changes the Default User Clearance value in the label_encodings file to CNF RESTRICTED.

How to Assign Labels to Two Zone Workspaces

This procedure creates two labeled workspaces and opens a labeled window in each labeled workspace. When this task is completed, you have a working, non-networked Trusted Extensions system.

Before You Begin

You have completed either How to Create a Default Trusted Extensions System or How to Create Labeled Zones Interactively.

You are the initial user.

Create a PUBLIC workspace.
The label of the PUBLIC workspace corresponds to the Default User Sensitivity Label.
1. Switch to the second workspace.
2. Right-click and select Change Workspace Label.
3. Select PUBLIC and click OK.
Provide your password at the prompt.
You are in a PUBLIC workspace.
Open a terminal window.
The window is labeled PUBLIC.
Create an INTERNAL USE ONLY workspace.
If you are using a site-specific label_encodings file, you are creating a workspace from the value of Default User Clearance.
1. Switch to the third workspace.
2. Right-click and select Change Workspace Label.
3. Select INTERNAL USE ONLY and click OK.
Provide your password at the prompt.
You are in an INTERNAL workspace.
Open a terminal window.
The window is labeled CONFIDENTIAL : INTERNAL USE ONLY.
Your system is ready to use. You have two user workspaces and a role workspace. In this configuration, the labeled zones use the same IP address as the global zone to communicate with other systems. They can do so because, by default, they share the IP address as an all-zones interface.

Next Steps

If you plan to have your Trusted Extensions system communicate with other systems, go to Configuring the Network Interfaces in Trusted Extensions.

Skip Navigation Links
Exit Print View
	Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library