Name and Label the Zone

You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system.

Before You Begin

You are superuser in the global zone. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script. You have configured the network interfaces in the global zone.

You have created any security templates that you need. A security template defines, among other attributes, the label range that can be assigned to a network interface. The default security templates might satisfy your needs.

• For an overview of security templates, see Network Security Attributes in Trusted Extensions in Oracle Solaris Trusted Extensions Administrator’s Procedures.

• To use the Solaris Management Console to create security templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

1. In the Labeled Zone Manager, select Create a new zone and click OK.

   You are prompted for a name.

   1. Type the name for the zone.

      ---

      Tip –

      Give the zone a name that is similar to the zone's label. For example, the name of a zone whose label is CONFIDENTIAL: RESTRICTED would be restricted.

      ---

      For example, the default label_encodings file contains the following labels:

      PUBLIC CONFIDENTIAL: INTERNAL USE ONLY CONFIDENTIAL: NEED TO KNOW CONFIDENTIAL: RESTRICTED SANDBOX: PLAYGROUND MAX LABEL

      Although you could create one zone per label, consider creating the following zones:

      • On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels.

      • On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label.

      • Do not create a zone for the MAX LABEL label, which is defined to be a clearance.

   2. Click OK.

      The dialog box displays zone-name:configured above a list of tasks.

2. To label the zone, choose one of the following:

   • If you are using a customized label_encodings file, label the zone by using the Trusted Network Zones tool.

     1. Open the Trusted Network Zones tool in the Solaris Management Console.

        1. Start the Solaris Management Console.

           # /usr/sbin/smc &

        2. Open the Trusted Extensions toolbox for the local system.

           1. Choose Console -> Open Toolbox.

           2. Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL).

           3. Click Open.

        3. Under System Configuration, navigate to Computers and Networks.

           Provide a password when prompted.

        4. Double-click the Trusted Network Zones tool.

     2. For each zone, associate the appropriate label with the zone name.

        1. Choose Action -> Add Zone Configuration.

           The dialog box displays the name of a zone that does not have an assigned label.

        2. Look at the zone name, then click Edit.

        3. In the Label Builder, click the appropriate label for the zone name.

           If you click the wrong label, click the label again to deselect it, then click the correct label.

        4. Save the assignment.

           Click OK in the Label Builder, then click OK in the Trusted Network Zones Properties dialog box.

        You are finished when every zone that you want is listed in the panel, or the Add Zone Configuration menu item opens a dialog box that does not have a value for Zone Name.

   • If you are using the default label_encodings file, use the Labeled Zone Manager.

     Click Select Label menu item and OK to display the list of available labels.

     1. Select the label for the zone.

        For a zone that is named public, you would select the label PUBLIC from the list.

     2. Click OK.

        A list of tasks is displayed.