JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

Mount Possibilities in Trusted Extensions

Trusted Extensions Policies for Mounted File Systems

Trusted Extensions Policy for Single-Level Datasets

Trusted Extensions Policy for Multilevel Datasets

No Privilege Overrides for MAC Read-Write Policy

Results of Sharing and Mounting File Systems in Trusted Extensions

Sharing and Mounting Files in the Global Zone

Sharing and Mounting Files in a Labeled Zone

mlslabel Property and Mounting Single-Level File Systems

Multilevel Datasets for Relabeling Files

Mounting Multilevel Datasets From Another System

NFS Server and Client Configuration in Trusted Extensions

Home Directory Creation in Trusted Extensions

Changes to the Automounter in Trusted Extensions

Trusted Extensions Software and NFS Protocol Versions

Backing Up, Sharing, and Mounting Labeled Files (Task Map)

How to Back Up Files in Trusted Extensions

How to Restore Files in Trusted Extensions

How to Share File Systems From a Labeled Zone

How to NFS Mount Files in a Labeled Zone

How to Troubleshoot Mount Failures in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Results of Sharing and Mounting File Systems in Trusted Extensions

In Trusted Extensions, shared files can ease administration, and provide efficiency and speed. MAC is always in force.

Sharing and Mounting Files in the Global Zone

Mounting files in the global zone is identical to mounting files in Oracle Solaris, subject to MAC policy. Files that are shared from the global zone are shared at the label of the file. Therefore, file systems from a global zone are not usefully shared with the global zones of other Trusted Extensions systems, because all files are shared at the label ADMIN_LOW. The files that the global zone usefully shares with other systems are multilevel datasets.

Files and directories in a single-level dataset that are shared over LOFS from the global zone are shared at ADMIN_LOW. For example, the /etc/passwd and /etc/shadow files from the global zone can be LOFS mounted into the labeled zones on the system. Because the files are ADMIN_LOW, they are visible and read-only in the labeled zones. Files and directories in multilevel datasets are shared at the label of the object.

The global zone can also share multilevel datasets over NFS. A client can request to mount the dataset when the NFS service is configured to use multilevel ports. The request succeeds when the client label is within the label range that is specified in the cipso template for the network interface that handles the client's NFS mount request.

Specifically, the behavior of global zones and mounted files is the following:

For more information on the viewing and relabeling of files on an NFS mount, see Mounting Multilevel Datasets From Another System.

Sharing and Mounting Files in a Labeled Zone

A labeled zone can share its files with other systems at the label of the zone. Therefore, file systems from a labeled zone can be shared with zones at the same label on other Trusted Extensions systems, and with untrusted systems that are assigned the same label as the zone. For information about the ZFS property that mediates these mounts, see mlslabel Property and Mounting Single-Level File Systems.

LOFS mounts from the global zone in a labeled zone are read-only for single-level datasets. For multilevel datasets, MAC policy is enforced per file and directory label, as described in No Privilege Overrides for MAC Read-Write Policy.

mlslabel Property and Mounting Single-Level File Systems

ZFS provides a security label attribute, mlslabel, that contains the label of the data in the dataset. The mlslabel property is inheritable. When a ZFS dataset has an explicit label, the dataset cannot be mounted on an Oracle Solaris system that is not configured with Trusted Extensions.

If the mlslabel property is undefined, it defaults to the string none, which indicates no label.

When you mount a ZFS dataset in a labeled zone, the following occurs:

To set the mlslabel property from the command line, type something similar to the following:

# zfs set mlslabel=public export/publicinfo

The file_upgrade_sl privilege is required to set an initial label or to change a non-default label to a higher-level label. The file_downgrade_sl privilege is required to remove a label, that is, to set the label to none. This privilege is also required to change a non-default label to a lower-level label.