JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone in Trusted Extensions

How to Check and Install Your Label Encodings File

How to Configure an IPv6 CIPSO Network in Trusted Extensions

How to Configure a Different Domain of Interpretation

Creating Labeled Zones

How to Create a Default Trusted Extensions System

How to Create Labeled Zones Interactively

How to Assign Labels to Two Zone Workspaces

Configuring the Network Interfaces in Trusted Extensions

How to Share a Single IP Address With All Zones

How to Add an IP Instance to a Labeled Zone

How to Add a Virtual Network Interface to a Labeled Zone

How to Connect a Trusted Extensions System to Other Trusted Extensions Systems

How to Configure a Separate Name Service for Each Labeled Zone

Creating Roles and Users in Trusted Extensions

How to Create the Security Administrator Role in Trusted Extensions

How to Create a System Administrator Role

How to Create Users Who Can Assume Roles in Trusted Extensions

How to Verify That the Trusted Extensions Roles Work

How to Enable Users to Log In to a Labeled Zone

Creating Centralized Home Directories in Trusted Extensions

How to Create the Home Directory Server in Trusted Extensions

How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server

How to Enable Users to Access Their Remote Home Directories by Configuring the Automounter on Each Server

Troubleshooting Your Trusted Extensions Configuration

How to Move Desktop Panels to the Bottom of the Screen

Additional Trusted Extensions Configuration Tasks

How to Create a Secondary Labeled Zone

How to Create and Share a Multilevel Dataset

How to Copy Files to Portable Media in Trusted Extensions

How to Copy Files From Portable Media in Trusted Extensions

How to Remove Trusted Extensions From the System

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Creating Centralized Home Directories in Trusted Extensions

In Trusted Extensions, users need access to their home directories at every label at which the users work. By default, home directories are created automatically by the automounter that is running in each zone. However, if you use an NFS server to centralize home directories, you must enable home directory access at every label for your users.

How to Create the Home Directory Server in Trusted Extensions

Before You Begin

You are in the root role in the global zone.

  1. Add Trusted Extensions software to the home directory server and configure its labeled zones.

    Because users require a home directory at every label that they they can log in to, create a home directory server at every user label. For example, if you create a default configuration, you would create a home directory server for the PUBLIC label and a server for the INTERNAL label.

  2. For every labeled zone, follow the automount procedure in How to NFS Mount Files in a Labeled Zone. Then, return to this procedure.
  3. Verify that the home directories have been created.
    1. Log out of the home directory server.
    2. As a regular user, log in to the home directory server.
    3. In the login zone, open a terminal.
    4. In the terminal window, verify that the user's home directory exists.
    5. Create workspaces for every zone that the user can work in.
    6. In each zone, open a terminal window to verify that the user's home directory exists.
  4. Log out of the home directory server.

How to Enable Users to Access Their Remote Home Directories at Every Label by Logging In to Each NFS Server

In this procedure, you allow users to create a home directory at each label by letting them directly log in to each home directory server. After creating each home directory on the central server, users can access their home directories from any system.

Alternatively, you, as administrator, can create a mount point on each home directory server by running a script, then modifying the automounter. For this method, see How to Enable Users to Access Their Remote Home Directories by Configuring the Automounter on Each Server.

Before You Begin

The home directory servers for your Trusted Extensions domain are configured.

Next Steps

Users can log in at a different label from their default label by choosing a different label from the label builder during login.

How to Enable Users to Access Their Remote Home Directories by Configuring the Automounter on Each Server

In this procedure you run a script that creates a mount point for home directories on each NFS server. Then, you modify the auto_home entry at the label of the server to add the mount point. Then, users can log in.

Before You Begin

The home directory servers for your Trusted Extensions domain are configured as LDAP clients. User accounts have been created on the LDAP server by using the useradd command with the -S ldap option. You must be in the root role.

  1. Write a script that creates a home directory mount point for every user.

    The sample script makes the following assumptions:

    • The LDAP server is a different server from the NFS home directory server.

    • The client systems are also different systems.

    • The hostname entry specifies the external IP address of the zone, that is, the NFS home directory server for its label.

    • The script will be run on the NFS server in the zone that serves clients at that label.

    #!/bin/sh
    hostname=$(hostname)
    scope=ldap
    
    for j in $(getent passwd|tr ' ' _); do
        uid=$(echo $j|cut -d: -f3)
        if [ $uid -ge 100 ]; then
            home=$(echo $j|cut -d: -f6)
            if [[ $home == /home/* ]]; then
                user=$(echo $j|cut -d: -f1)
                echo Updating home directory for $user
                homedir=/export/home/$user
                usermod -md ${hostname}:$homedir -S $scope $user
                mp=$(mount -p|grep  " $homedir zfs" )
                dataset=$(echo $mp|cut -d" " -f1)
                if [[ -n $dataset ]]; then
                    zfs set sharenfs=on $dataset
                fi
            fi
        fi
    done
  2. On each NFS server, run the preceding script in the labeled zone that serves clients at that label.