Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Enable Specific Users to Log In Remotely to the Global Zone in Trusted Extensions

The user's default label range and the zone's default behavior are changed to enable remote login by a non-role. You might want to complete this procedure for a tester who is using a remote labeled system. For security reasons, the tester's system should be running a disjoint label from other users.

Before You Begin

You must have a very good reason why this user can log in to the global zone.

You must be in the Security Administrator role in the global zone.

  1. To enable specific users to log in to the global zone, assign them an administrative label range.

    Use the Solaris Management Console to assign a clearance of ADMIN_HIGH and a minimum label of ADMIN_LOW to each user. For details, see How to Modify a User's Label Range in the Solaris Management Console.

    The user's labeled zones must also permit login.

  2. To enable remote login from a labeled zone into the global zone, do the following.

    1. Add a multilevel port for remote login to the global zone.

      Use the Solaris Management Console. Port 513 over the TCP protocol enables remote login. For an example, see How to Create a Multilevel Port for a Zone.

    2. Read the tnzonecfg changes into the kernel.


      # tnctl -fz /etc/security/tsol/tnzonecfg
      
    3. Restart the remote login service.


      # svcadm restart svc:/network/login:rlogin