| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone in Trusted Extensions
How to Check and Install Your Label Encodings File
How to Configure an IPv6 CIPSO Network in Trusted Extensions
How to Configure a Different Domain of Interpretation
How to Create a Default Trusted Extensions System
How to Create Labeled Zones Interactively
How to Assign Labels to Two Zone Workspaces
Configuring the Network Interfaces in Trusted Extensions
How to Share a Single IP Address With All Zones
How to Add an IP Instance to a Labeled Zone
How to Add a Virtual Network Interface to a Labeled Zone
How to Connect a Trusted Extensions System to Other Trusted Extensions Systems
How to Configure a Separate Name Service for Each Labeled Zone
Creating Roles and Users in Trusted Extensions
How to Create the Security Administrator Role in Trusted Extensions
How to Create a System Administrator Role
How to Create Users Who Can Assume Roles in Trusted Extensions
How to Verify That the Trusted Extensions Roles Work
How to Enable Users to Log In to a Labeled Zone
Creating Centralized Home Directories in Trusted Extensions
How to Create the Home Directory Server in Trusted Extensions
Troubleshooting Your Trusted Extensions Configuration
How to Move Desktop Panels to the Bottom of the Screen
Additional Trusted Extensions Configuration Tasks
How to Create a Secondary Labeled Zone
How to Create and Share a Multilevel Dataset
How to Copy Files to Portable Media in Trusted Extensions
How to Copy Files From Portable Media in Trusted Extensions
How to Remove Trusted Extensions From the System
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
In Trusted Extensions, users need access to their home directories at every label at which the users work. By default, home directories are created automatically by the automounter that is running in each zone. However, if you use an NFS server to centralize home directories, you must enable home directory access at every label for your users.
Before You Begin
You are in the root role in the global zone.
Because users require a home directory at every label that they they can log in to, create a home directory server at every user label. For example, if you create a default configuration, you would create a home directory server for the PUBLIC label and a server for the INTERNAL label.
In this procedure, you allow users to create a home directory at each label by letting them directly log in to each home directory server. After creating each home directory on the central server, users can access their home directories from any system.
Alternatively, you, as administrator, can create a mount point on each home directory server by running a script, then modifying the automounter. For this method, see How to Enable Users to Access Their Remote Home Directories by Configuring the Automounter on Each Server.
Before You Begin
The home directory servers for your Trusted Extensions domain are configured.
Typically, you have created one NFS server per label.
A home directory for the user is available at the label of the server when the login is successful.
The home directory for their default label is available from the home directory server. When a user changes the label of a session or adds a workspace at a different label, the user's home directory for that label is mounted.
Next Steps
Users can log in at a different label from their default label by choosing a different label from the label builder during login.
In this procedure you run a script that creates a mount point for home directories on each NFS server. Then, you modify the auto_home entry at the label of the server to add the mount point. Then, users can log in.
Before You Begin
The home directory servers for your Trusted Extensions domain are configured as LDAP clients. User accounts have been created on the LDAP server by using the useradd command with the -S ldap option. You must be in the root role.
The sample script makes the following assumptions:
The LDAP server is a different server from the NFS home directory server.
The client systems are also different systems.
The hostname entry specifies the external IP address of the zone, that is, the NFS home directory server for its label.
The script will be run on the NFS server in the zone that serves clients at that label.
#!/bin/sh
hostname=$(hostname)
scope=ldap
for j in $(getent passwd|tr ' ' _); do
uid=$(echo $j|cut -d: -f3)
if [ $uid -ge 100 ]; then
home=$(echo $j|cut -d: -f6)
if [[ $home == /home/* ]]; then
user=$(echo $j|cut -d: -f1)
echo Updating home directory for $user
homedir=/export/home/$user
usermod -md ${hostname}:$homedir -S $scope $user
mp=$(mount -p|grep " $homedir zfs" )
dataset=$(echo $mp|cut -d" " -f1)
if [[ -n $dataset ]]; then
zfs set sharenfs=on $dataset
fi
fi
fi
done
|