Chapter 4 Configuring Trusted Extensions (Tasks)

This chapter covers how to configure Trusted Extensions on a system with a monitor. To work properly, Trusted Extensions software requires configuration of the following: labels, zones, the network, users who can assume roles, roles, and tools.

• Setting Up the Global Zone in Trusted Extensions

• Creating Labeled Zones

• (Optional) Adding Network Interfaces and Routing to Labeled Zones

• Creating Roles and Users in Trusted Extensions

• Creating Home Directories in Trusted Extensions

• Adding Users and Hosts to an Existing Trusted Network

• Troubleshooting Your Trusted Extensions Configuration

• Additional Trusted Extensions Configuration Tasks

For other configuration tasks, see Oracle Solaris Trusted Extensions Administrator’s Procedures.

Setting Up the Global Zone in Trusted Extensions

Before setting up the global zone, you must make decisions about your configuration. For the decisions, see Collecting Information and Making Decisions Before Enabling Trusted Extensions.

Check and Install Your Label Encodings File

Your encodings file must be compatible with any Trusted Extensions host with which you are communicating.

Trusted Extensions installs a default label_encodings file. This default file is useful for demonstrations. However, this file might not be a good choice for your use. If you plan to use the default file, you can skip this procedure.

• If you are familiar with encodings files, you can use the following procedure.

• If you are not familiar with encodings files, consult Oracle Solaris Trusted Extensions Label Administration for requirements, procedures, and examples.

You must successfully install labels before continuing, or the configuration will fail.

Before You Begin

You are the security administrator. The security administrator is responsible for editing, checking, and maintaining the label_encodings file. If you plan to edit the label_encodings file, make sure that the file itself is writable. For more information, see the label_encodings(4) man page.

1. Insert the media with the label_encodings file into the appropriate device.

2. Copy the label_encodings file to the disk.

3. Check the syntax of the file and make it the active label_encodings file.

   • In Trusted JDS, check and install the file from the command line.

     1. Open a terminal window.

     2. Run the chk_encodings command.

        # /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file

     3. Read the output and do one of the following:

        • Resolve errors.

          If the command reports errors, the errors must be resolved before continuing. For assistance, see Chapter 3, Making a Label Encodings File (Tasks), in Oracle Solaris Trusted Extensions Label Administration

        • Make the file the active label_encodings file.

          # cp /full-pathname-of-label-encodings-file \ /etc/security/tsol/label.encodings.site # cd /etc/security/tsol # cp label_encodings label_encodings.tx.orig # cp label.encodings.site label_encodings

     ---

     Caution –

     Your label_encodings file must pass the chk_encodings test before you continue.

     ---

   • In Trusted CDE, use the Check Encodings action.

     1. Open the Trusted_Extensions folder.

        Click mouse button 3 on the background.

     2. From the Workspace menu, choose Applications -> Application Manager.

     3. Double-click the Trusted_Extensions folder icon.

        

     4. Double-click the Check Encodings action.

        In the dialog box, type the full path name to the file:

        /full-pathname-of-label-encodings-file

        The chk_encodings command is invoked to check the syntax of the file. The results are displayed in the Check Encodings dialog box.

     5. Read the contents of the Check Encodings dialog box and do one of the following:

        • Resolve errors.

          If the Check Encodings action reports errors, the errors must be resolved before continuing. For assistance, see Chapter 3, Making a Label Encodings File (Tasks), in Oracle Solaris Trusted Extensions Label Administration.

        • Click Yes to make the file the active label_encodings file.

          The Check Encodings action creates a backup copy of the original file, then installs the checked version in /etc/security/tsol/label_encodings. The action then restarts the label daemon.

   ---

   Caution –

   Your label_encodings file must pass the Check Encodings test before you continue.

   ---

4. Check the syntax of the file and make it the active label_encodings file.

   Use the command line.

   1. Open a terminal window.

   2. Run the chk_encodings command.

      # /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file

   3. Read the output and do one of the following:

      • Resolve errors.

        If the command reports errors, the errors must be resolved before continuing. For assistance, see Chapter 3, Making a Label Encodings File (Tasks), in Oracle Solaris Trusted Extensions Label Administration

      • Make the file the active label_encodings file.

        # cp /full-pathname-of-label-encodings-file \ /etc/security/tsol/label.encodings.site # cd /etc/security/tsol # cp label_encodings label_encodings.tx.orig # cp label.encodings.site label_encodings

   ---

   Caution –

   Your label_encodings file must pass the Check Encodings test before you continue.

   ---

Example 4–1 Checking label_encodings Syntax on the Command Line

In this example, the administrator tests several label_encodings files by using the command line.

# /usr/sbin/chk_encodings /var/encodings/label_encodings1
No errors found in /var/encodings/label_encodings1
# /usr/sbin/chk_encodings /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

When management decides to use the label_encodings2 file, the administrator runs a semantic analysis of the file.

# /usr/sbin/chk_encodings -a /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

---> VERSION = MYCOMPANY LABEL ENCODINGS  2.0 10/10/2006

---> CLASSIFICATIONS <---

   Classification 1: PUBLIC
   Initial Compartment bits: 10
   Initial Markings bits: NONE

---> COMPARTMENTS AND MARKINGS USAGE ANALYSIS <---
...
---> SENSITIVITY LABEL to COLOR MAPPING <---
...

The administrator prints a copy of the semantic analysis for her records, then moves the file to the /etc/security/tsol directory.

# cp /var/encodings/label_encodings2 /etc/security/tsol/label.encodings.10.10.06
# cd /etc/security/tsol
# cp label_encodings label_encodings.tx.orig
# cp label.encodings.10.10.06 label_encodings

Finally, the administrator verifies that the label_encodings file is the company file.

# /usr/sbin/chk_encodings -a /etc/security/tsol/label_encodings | head -4
No errors found in /etc/security/tsol/label_encodings

---> VERSION = MYCOMPANY LABEL ENCODINGS  2.0 10/10/2006

Enable IPv6 Networking in Trusted Extensions

CIPSO options do not have an Internet Assigned Numbers Authority (IANA) number to use in the IPv6 Option Type field of a packet. The entry that you set in this procedure supplies a number to use on the local network until IANA assigns a number for this option. Trusted Extensions disables IPv6 networking if this number is not defined.

To enable an IPv6 network in Trusted Extensions, you must add an entry in the /etc/system file.

1. Type the following entry into the /etc/system file:

   set ip:ip6opt_ls = 0x0a

Troubleshooting

• If error messages during boot indicate that your IPv6 configuration is incorrect, correct the entry:

  • Check that the entry is spelled correctly.

  • Check that the system has been rebooted after adding the correct entry to the /etc/system file.

• If you install Trusted Extensions on a Solaris system that currently has IPv6 enabled, but you fail to add the IP entry in /etc/system, you see the following error message: t_optmgmt: System error: Cannot assign requested address time-stamp

• If you install Trusted Extensions on a Solaris system that does not have IPv6 enabled, and you fail to add the IP entry in /etc/system, you see the following types of error messages:

  • WARNING: IPv6 not enabled via /etc/system

  • Failed to configure IPv6 interface(s): hme0

  • rpcbind: Unable to join IPv6 multicast group for rpc broadcast broadcast-number

Configure the Domain of Interpretation

All communications to and from a system that is configured with Trusted Extensions must follow the labeling rules of a single CIPSO Domain of Interpretation (DOI). The DOI that is used in each message is identified by an integer number in the CIPSO IP Option header. By default, the DOI in Trusted Extensions is 1.

If your DOI is not 1, you must add an entry to the /etc/system file and modify the doi value in the default security templates.

1. Type your DOI entry into the /etc/system file:

   set default_doi = n

   This positive, non-zero number must match the DOI number in the tnrhtp database for your node and for the systems that your node communicates with.

2. Before adding the tnrhtp database to your LDAP server, modify the doi value in the default entries and all entries for local addresses.

   Trusted Extensions provides two templates in the tnrhtp database, cipso and admin_low. If you have added entries for local addresses, also modify these entries.

   1. Open the tnrhtp database in the trusted editor.

      # /usr/dt/bin/trusted_edit /etc/security/tsol/tnrhtp

      In Solaris Trusted Extensions (CDE), you can instead use the Admin Editor action in the Trusted_Extensions folder in the Application Manager.

   2. Copy the cipso template entry to another line.

      cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH

   3. Comment out one of the cipso entries.

      #cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH

   4. Modify the doi value in the uncommented cipso entry.

      Make this value the same as the default_doi value in the /etc/system file.

      #cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH cipso:host_type=cipso;doi=n;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH

   5. Change the doi value for the admin_low entry.

      #admin_low:host_type=unlabeled;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;doi=1;def_label=ADMIN_LOW admin_low:host_type=unlabeled;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;doi=n;def_label=ADMIN_LOW

   You are finished when every doi value in every entry in the tnrhtp database is the same.

Troubleshooting

If the /etc/system file sets a default_doi value other than 1, and a security template for this system sets a value that does not match this default_doi value, then messages similar to the following are displayed on the system console during interface configuration:

• NOTICE: er10 failed: 10.17.1.12 has wrong DOI 4 instead of 1

• Failed to configure IPv4 interface(s): er10

Interface configuration failure can result in login failure:

• Hostname: unknown

• unknown console login: root

• Oct 10 10:10:20 unknown login: pam_unix_cred: cannot load hostname Error 0

To correct the problem, boot the system into single-user mode and correct the security templates as described in this procedure.

See Also

For more information about the DOI, see Network Security Attributes in Trusted Extensions in Oracle Solaris Trusted Extensions Administrator’s Procedures.

To change the doi value in the security templates that you create, see How to Construct a Remote Host Template in Oracle Solaris Trusted Extensions Administrator’s Procedures.

To use the editor of your choice as the trusted editor, see How to Assign the Editor of Your Choice as the Trusted Editor in Oracle Solaris Trusted Extensions Administrator’s Procedures.

Create ZFS Pool for Cloning Zones

If you plan to use a Solaris ZFS^TM snapshot as your zone template, you need to create a ZFS pool from a ZFS file or a ZFS device. This pool holds the snapshot for cloning each zone. You use the /zone device for your ZFS pool.

Before You Begin

You have set aside disk space during Solaris installation for a ZFS file system. For details, see Planning for Zones in Trusted Extensions.

1. Unmount the /zone partition.

   During installation, you created a /zone partition with sufficient disk space of about 2000 MBytes.

   # umount /zone

2. Remove the /zone mount point.

   # rmdir /zone

3. Comment out the /zone entry in the vfstab file.

   1. Prevent the /zone entry from being read.

      Open the vfstab file in an editor. Prefix the /zone entry with a comment sign.

      #/dev/dsk/cntndnsn /dev/dsk/cntndnsn /zone ufs 2 yes -

   2. Copy the disk slice, cntndnsn, to the clipboard.

   3. Save the file, and close the editor.

4. Use the disk slice to re-create /zone as a ZFS pool.

   # zpool create -f zone cntndnsn

   For example, if your /zone entry used disk slice c0t0d0s5, then the command would be the following:

   # zpool create -f zone c0t0d0s5

5. Verify that the ZFS pool is healthy.

   Use one of the following commands:

   # zpool status -x zone pool 'zone' is healthy

   # zpool list NAME SIZE USED AVAIL CAP HEALTH ALTROOT /zone 5.84G 80K 5.84G 7% ONLINE -

   In this example, the initial setup team reserved a 6000 MByte partition for zones. For more information, see the zpool(1M) man page.

Reboot and Log In to Trusted Extensions

At most sites, two or more administrators, who serve as an initial setup team, are present when configuring the system.

Before You Begin

Before you first log in, become familiar with the desktop and label options in Trusted Extensions. For details, see Chapter 2, Logging In to Trusted Extensions (Tasks), in Oracle Solaris Trusted Extensions User’s Guide.

1. Reboot the system.

   # /usr/sbin/reboot

   If your system does not have a graphical display, go to Chapter 6, Configuring a Headless System With Trusted Extensions (Tasks).

2. Log in to either the Solaris Trusted Extensions (CDE) or the Solaris Trusted Extensions (JDS) desktop as superuser.

   1. In the login window, select one of the trusted desktops.

      The Trusted CDE desktop contains actions that are useful when configuring the system. Starting in the Solaris 10 10/08 release, the txzonemgr script is the preferred program for configuring the system.

   2. In the login dialog box, type root and the root password.

      Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing his/her password to another person, or indirect, such as through writing it down, or choosing an insecure password. Trusted Extensions software provides protection against insecure passwords, but cannot prevent a user disclosing his/her password or writing it down.

3. Read the information in the Last Login dialog box.

   

   Then click OK to dismiss the box.

4. Read the Label Builder.

   Click OK to accept the default label.

   Once the login process is complete, the Trusted Extensions screen appears briefly, and you are in a desktop session with four workspaces. The Trusted Path symbol is displayed in the trusted stripe.

   ---

   Note –

   You must log off or lock the screen before leaving a system unattended. Otherwise, a person can access the system without having to pass identification and authentication, and that person would not be uniquely identified or accountable.

   ---

Initialize the Solaris Management Console Server in Trusted Extensions

This procedure enables you to administer users, roles, hosts, zones, and the network on this system. On the first system that you configure, only the files scope is available.

Before You Begin

You must be superuser.

To use the LDAP toolbox on the LDAP server from a Solaris Management Console that is running on a client, you must complete all of the tasks in Configuring the Solaris Management Console for LDAP (Task Map).

1. Start the Solaris Management Console.

   # /usr/sbin/smc &

   ---

   Note –

   The first time the Solaris Management Console is started, it performs several registration tasks. These tasks can take a few minutes.

   ---

   Figure 4–1 Solaris Management Console Initial Window

   
   

2. Do one of the following if toolbox icons do not appear in the Solaris Management Console:

   • If the Navigation pane is not visible:

     1. In the Open Toolbox dialog box that is displayed, click Load next to this system's name under Server.

        If this system does not have the recommended amount of memory and swap, it might take a few minutes for the toolboxes to display. For recommendations, see Installing or Upgrading the Solaris OS for Trusted Extensions.

     2. From the list of toolboxes, select a toolbox whose Policy=TSOL.

        Figure 4–2 shows a This Computer (this-host: Scope=Files, Policy=TSOL) toolbox. Trusted Extensions modifies tools under the System Configuration node.

        ---

        Caution –

        Do not choose a toolbox that has no policy. Toolboxes without a listed policy do not support Trusted Extensions.

        ---

        Your toolbox choice depends on which scope you want to influence.

        • To edit local files, choose the Files scope.

        • To edit LDAP databases, choose the LDAP scope.

          After you complete all of the tasks in Configuring the Solaris Management Console for LDAP (Task Map), the LDAP scope is available.

     3. Click Open.

   • If the Navigation pane is visible, but the toolbox icons are stop signs:

     1. Exit the Solaris Management Console.

     2. Restart the Solaris Management Console.

        # /usr/sbin/smc &

3. If you have not yet done so, select a toolbox whose Policy=TSOL.

   The following figure shows a This Computer (this-host: Scope=Files, Policy=TSOL) toolbox. Trusted Extensions modifies tools under the System Configuration node.

   Figure 4–2 Trusted Extensions Tools in the Solaris Management Console

   
   

4. (Optional) Save the current toolbox.

   Saving a Policy=TSOL toolbox enables a Trusted Extensions toolbox to load by default. Preferences are saved per role, per host. The host is the Solaris Management Console server.

   1. From the Console menu, choose Preferences.

      The Home toolbox is selected.

   2. Define a Policy=TSOL toolbox as the Home toolbox.

      Put the current toolbox in the Location field by clicking the Use Current Toolbox button.

   3. Click OK to save the preferences.

5. Exit the Solaris Management Console.

See Also

For an overview of the Trusted Extensions additions to the Solaris Management Console, see Solaris Management Console Tools in Oracle Solaris Trusted Extensions Administrator’s Procedures. To use the Solaris Management Console to create security templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

Make the Global Zone an LDAP Client in Trusted Extensions

For LDAP, this procedure establishes the naming service configuration for the global zone. If you are not using LDAP, you can skip this procedure.

Starting in the Solaris 10 5/08 release, if you are in a Solaris Trusted Extensions (CDE) workspace, you can use the txzonemgr script or a Trusted CDE action to create an LDAP client. If you are in a Solaris Trusted Extensions (JDS) or a Solaris Trusted Extensions (GNOME) workspace, you must use the txzonemgr script.

If you plan to set up a name server in each labeled zone, you are responsible for establishing the LDAP client connection to each labeled zone.

Before You Begin

The Sun Java^TM System Directory Server, that is, the LDAP server, must exist. The server must be populated with Trusted Extensions databases, and this system must be able to contact the server. So, the system that you are configuring must have an entry in the tnrhdb database on the LDAP server, or this system must be included in a wildcard entry before you perform this procedure.

If an LDAP server that is configured with Trusted Extensions does not exist, you must complete the procedures in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks) before you perform this procedure.

1. If you are using DNS, modify the nsswitch.ldap file.

   1. Save a copy of the original nsswitch.ldap file.

      The standard naming service switch file for LDAP is too restrictive for Trusted Extensions.

      # cd /etc # cp nsswitch.ldap nsswitch.ldap.orig

   2. Change the nsswitch.ldap file entries for the following services.

      The correct entries are similar to the following:

      hosts: files dns ldap ipnodes: files dns ldap networks: ldap files protocols: ldap files rpc: ldap files ethers: ldap files netmasks: ldap files bootparams: ldap files publickey: ldap files services: files

      Note that Trusted Extensions adds two entries:

      tnrhtp: files ldap tnrhdb: files ldap

   3. Copy the modified nsswitch.ldap file to nsswitch.conf.

      # cp nsswitch.ldap nsswitch.conf

2. Perform one of the following steps to create an LDAP client.

   • Run the txzonemgr script and answer the prompts about LDAP.

     The Create LDAP Client menu item configures the global zone only.

     1. Follow the instructions in Run the txzonemgr Script.

        The title of the dialog box is Labeled Zone Manager.

     2. Select Create LDAP Client.

     3. Answer the following prompts and click OK after each answer:

        Enter Domain Name: Type the domain name Enter Hostname of LDAP Server: Type the name of the server Enter IP Address of LDAP Server servername: Type the IP address Enter LDAP Proxy Password: Type the password to the server Confirm LDAP Proxy Password: Retype the password to the server Enter LDAP Profile Name: Type the profile name

     4. Confirm or cancel the displayed values.

        Proceed to create LDAP Client?

        When you confirm, the txzonemgr script adds the LDAP client. Then, a window displays the command output.

   • In a Trusted CDE workspace, find and use the Create LDAP Client action.

     1. Navigate to the Trusted_Extensions folder by clicking mouse button 3 on the background.

     2. From the Workspace menu, choose Applications -> Application Manager.

     3. Double-click the Trusted_Extensions folder icon.

        This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

     4. Double-click the Create LDAP Client action.

        Answer the following prompts:

        Domain Name: Type the domain name Hostname of LDAP Server: Type the name of the server IP Address of LDAP Server: Type the IP address LDAP Proxy Password: Type the password to the server Profile Name: Type the profile name

     5. Click OK.

        The following completion message appears:

        global zone will be LDAP client of LDAP-server System successfully configured. *** Select Close or Exit from the window menu to close this window ***

     6. Close the action window.

3. In a terminal window, set the enableShadowUpdate parameter to TRUE.

   # ldapclient -v mod -a enableShadowUpdate=TRUE \ > -a adminDN=cn=admin,ou=profile,dc=domain,dc=suffix System successfully configured

   The Create LDAP Client action and the txzonemgr script run the ldapclient init command only. In Trusted Extensions, you must also modify an initialized LDAP client to enable shadow updates.

4. Verify that the information on the server is correct.

   1. Open a terminal window, and query the LDAP server.

      # ldapclient list

      The output looks similar to the following:

      NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain-name ... NS_LDAP_BIND_TIME= number

   2. Correct any errors.

      If you get an error, create the LDAP client again and supply the correct values. For example, the following error can indicate that the system does not have an entry on the LDAP server:

      LDAP ERROR (91): Can't connect to the LDAP server. Failed to find defaultSearchBase for domain domain-name

      To correct this error, you need to check the LDAP server.

Example 4–2 Using Host Names After Loading a resolv.conf File

In this example, the administrator wants a particular set of DNS servers to be available to the system. The administrator copies a resolv.conf file from a server on a trusted net. Because DNS is not yet active, the administrator uses the server's IP address to locate the server.

# cd /etc
# cp /net/10.1.1.2/export/txsetup/resolv.conf resolv.conf

After the resolv.conf file is copied and the nsswitch.conf file includes dns in the hosts entry, the administrator can use host names to locate systems.

Creating Labeled Zones

The txzonemgr script steps you through all the following tasks that configure labeled zones.

You must be running the Solaris 10 8/07 release of Trusted Extensions or a later release to use the txzonemgr procedures. Or, you must install all patches for the Solaris 10 11/06 release.

If you are running the Solaris 10 11/06 release without current patches, use the procedures in Appendix B, Using CDE Actions to Install Zones in Trusted Extensions to configure the labeled zones.

The instructions in this section configure labeled zones on a system that has been assigned at most two IP addresses. For other configurations, see the configuration options in Task Map: Preparing For and Enabling Trusted Extensions.

Run the txzonemgr Script

This script steps you through the tasks to properly configure, install, initialize, and boot labeled zones. In the script, you name each zone, associate the name with a label, install the packages to create a virtual OS, and then boot the zone to start services in that zone. The script includes copy zone and clone zone tasks. You can also halt a zone, change the state of a zone, and add zone-specific network interfaces.

This script presents a dynamically-determined menu that displays only valid choices for the current circumstances. For instance, if the status of a zone is configured, the Install zone menu item is not displayed. Tasks that are completed do not display in the list.

Before You Begin

You are superuser.

If you plan to clone zones, you have completed the preparation for cloning zones. If you plan to use your own security templates, you have created the templates.

1. Open a terminal window in the global zone.

2. Run the txzonemgr script.

   # /usr/sbin/txzonemgr

   The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your installation.

   To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.

   ---

   Tip –

   To view the current state of zone completion, click Return to Main Menu in the Labeled Zone Manager.

   ---

Configure the Network Interfaces in Trusted Extensions

If you are configuring your system to use DHCP, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.

Starting in the Solaris 10 10/08 release, if you are configuring a system where each labeled zone is on its own subnet, you can skip this step and continue with Name and Label the Zone. You add the network interfaces for each labeled zone in Add a Network Interface to Route an Existing Labeled Zone, after you have finished installing and customizing the zones.

In this task, you configure the networking in the global zone. You must create exactly one all-zones interface. An all-zones interface is shared by the labeled zones and the global zone. The shared interface is used to route traffic between the labeled zones and the global zone. To configure this interface, do one of the following:

• Create a logical interface from a physical interface, then share the physical interface.

  This configuration is the simplest to administer. Choose this configuration when your system has been assigned two IP addresses. In this procedure, the logical interface becomes the global zone's specific address, and the physical interface is shared between the global zone and the labeled zones.

• Share a physical interface

  Choose this configuration when your system has been assigned one IP address. In this configuration, the physical interface is shared between the global zone and the labeled zones.

• Share a virtual network interface, vni0

  Choose this configuration when you are configuring DHCP, or when each subnetwork is at a different label. For a sample procedure, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.

  Starting in the Solaris 10 10/08 release, the, loopback interface in Trusted Extensions is created as an all-zones interface. Therefore, you do not need to create a vni0 shared interface.

To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to Route an Existing Labeled Zone.

Before You Begin

You are superuser in the global zone.

The Labeled Zone Manager is displayed. To open this GUI, see Run the txzonemgr Script.

1. In the Labeled Zone Manager, select Manage Network Interfaces and click OK.

   A list of interfaces is displayed.

   ---

   Note –

   In this example, the physical interface was assigned a host name and an IP address during installation.

   ---

2. Select the physical interface.

   A system with one interface displays a menu similar to the following. The annotation is added for assistance:

   vni0 DownVirtual Network Interface eri0 global 10.10.9.9 cipso Up Physical Interface

   1. Select the eri0 interface.

   2. Click OK

3. Select the appropriate task for this network interface.

   You are offered three options:

   View Template Assign a label to the interface Share Enable the global zone and labeled zones to use this interface Create Logical Interface Create an interface to use for sharing

   • If your system has one IP address, go to Step 4.

   • If your system has two IP addresses, go to Step 5.

4. On a system with one IP address, share the physical interface.

   In this configuration, the host's IP address applies to all zones. Therefore, the host's address is the all-zones address. This host cannot be used as a multilevel server. For example, users cannot share files from this system. The system cannot be an LDAP proxy server, an NFS home directory server, or a print server.

   1. Select Share and click OK.

   2. Click OK in the dialog box that displays the shared interface.

      eri0 all-zones 10.10.9.8 cipso Up

      You are successful when the physical interface is an all-zones interface. Continue with Name and Label the Zone.

5. On a system with two IP addresses, create a logical interface.

   Then, share the physical interface.

   This is the simplest Trusted Extensions network configuration. In this configuration, the main IP address can be used by other systems to reach any zone on this system, and the logical interface is zone-specific to the global zone. The global zone can be used as a multilevel server.

   1. Select Create Logical Interface and click OK.

      Dismiss the dialog box that confirms the creation of a new logical interface.

   2. Select Set IP address and click OK.

   3. At the prompt, specify the host name for the logical interface and click OK.

      For example, specify machine1-services as the host name for the logical interface. The name indicates that this host offers multilevel services.

   4. At the prompt, specify the IP address for the logical interface and click OK.

      For example, specify 10.10.9.2 as the IP address for the logical interface.

   5. Select the logical interface again and click OK.

   6. Select Bring Up and click OK.

      The interface is displayed as Up.

      eri0 global 10.10.9.1 cipso Up eri0:1 global 10.10.9.2 cipso Up

   7. Share the physical interface.

      1. Select the physical interface and click OK.

      2. Select Share and click OK.

         eri0 all-zones 10.10.9.1 cipso Up eri0:1 global 10.10.9.2 cipso Up

   You are successful when at least one interface is an all-zones interface.

Example 4–3 Viewing the /etc/hosts File on a System With a Shared Logical Interface

On a system where the global zone has a unique interface and labeled zones share a second interface with the global zone, the /etc/hosts file appears similar to the following:

# cat /etc/hosts
...
127.0.0.1  localhost
192.168.0.11 machine1 loghost
192.168.0.12 machine1-services 

In the default configuration, the tnrhdb file appears similar to the following:

# cat /etc/security/tsol/tnrhdb
...
127.0.0.1:cipso
192.168.0.11:cipso
192.168.0.12:cipso
0.0.0.0:admin_low

If the all-zones interface is not in the tnrhdb file, the interface defaults to cipso.

Example 4–4 Displaying the Shared Interface on a Trusted Extensions System With One IP Address

In this example, the administrator is not planning to use the system as a multilevel server. To conserve IP addresses, the global zone is configured to share its IP address with every labeled zone.

The administrator selects Share for the hme0 interface on the system. The software configures all zones to have logical NICs. These logical NICs share a single physical NIC in the global zone.

The administrator runs the ifconfig -a command to verify that the physical interface hme0 on network interface 192.168.0.11 is shared. The value all-zones is displayed:

 lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         all-zones
         inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255

Starting in the Solaris 10 10/08 release, the, loopback interface in Trusted Extensions is created as an all-zones interface.

 lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         all-zones
         inet 127.0.0.1 netmask ff000000
 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         all-zones
         inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255

The administrator also examines the contents of the /etc/hostname.hme0 file:

192.168.0.11 all-zones

Name and Label the Zone

You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system.

Before You Begin

You are superuser in the global zone. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script. You have configured the network interfaces in the global zone.

You have created any security templates that you need. A security template defines, among other attributes, the label range that can be assigned to a network interface. The default security templates might satisfy your needs.

• For an overview of security templates, see Network Security Attributes in Trusted Extensions in Oracle Solaris Trusted Extensions Administrator’s Procedures.

• To use the Solaris Management Console to create security templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

1. In the Labeled Zone Manager, select Create a new zone and click OK.

   You are prompted for a name.

   1. Type the name for the zone.

      ---

      Tip –

      Give the zone a name that is similar to the zone's label. For example, the name of a zone whose label is CONFIDENTIAL: RESTRICTED would be restricted.

      ---

      For example, the default label_encodings file contains the following labels:

      PUBLIC CONFIDENTIAL: INTERNAL USE ONLY CONFIDENTIAL: NEED TO KNOW CONFIDENTIAL: RESTRICTED SANDBOX: PLAYGROUND MAX LABEL

      Although you could create one zone per label, consider creating the following zones:

      • On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels.

      • On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label.

      • Do not create a zone for the MAX LABEL label, which is defined to be a clearance.

   2. Click OK.

      The dialog box displays zone-name:configured above a list of tasks.

2. To label the zone, choose one of the following:

   • If you are using a customized label_encodings file, label the zone by using the Trusted Network Zones tool.

     1. Open the Trusted Network Zones tool in the Solaris Management Console.

        1. Start the Solaris Management Console.

           # /usr/sbin/smc &

        2. Open the Trusted Extensions toolbox for the local system.

           1. Choose Console -> Open Toolbox.

           2. Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL).

           3. Click Open.

        3. Under System Configuration, navigate to Computers and Networks.

           Provide a password when prompted.

        4. Double-click the Trusted Network Zones tool.

     2. For each zone, associate the appropriate label with the zone name.

        1. Choose Action -> Add Zone Configuration.

           The dialog box displays the name of a zone that does not have an assigned label.

        2. Look at the zone name, then click Edit.

        3. In the Label Builder, click the appropriate label for the zone name.

           If you click the wrong label, click the label again to deselect it, then click the correct label.

        4. Save the assignment.

           Click OK in the Label Builder, then click OK in the Trusted Network Zones Properties dialog box.

        You are finished when every zone that you want is listed in the panel, or the Add Zone Configuration menu item opens a dialog box that does not have a value for Zone Name.

   • If you are using the default label_encodings file, use the Labeled Zone Manager.

     Click Select Label menu item and OK to display the list of available labels.

     1. Select the label for the zone.

        For a zone that is named public, you would select the label PUBLIC from the list.

     2. Click OK.

        A list of tasks is displayed.

Install the Labeled Zone

Before You Begin

You are superuser in the global zone. The zone is configured, and has an assigned network interface.

The Labeled Zone Manager dialog box is displayed with the subtitle zone-name:configured. To open this GUI, see Run the txzonemgr Script.

1. From the Labeled Zone Manager, select Install and click OK.

   ---

   Caution –

   This process takes some time to finish. Do not perform other tasks while this task is completing.

   ---

   The system copies packages from the global zone to the non-global zone. This task installs a labeled virtual operating system in the zone. To continue the example, this task installs the public zone. The GUI displays output similar to the following.

   # Labeled Zone Manager: Installing zone-name zone Preparing to install zone <zonename> Creating list of files to copy from the global zone Copying <total> files to the zone Initializing zone product registry Determining zone package initialization order. Preparing to initialize <subtotal> packages on the zone. Initializing package <number> of <subtotal>: percent complete: percent Initialized <subtotal> packages on zone. Zone <zonename> is initialized. The file /zone/internal/root/var/sadm/system/logs/install_log contains a log of the zone installation.

   ---

   Note –

   Messages such as cannot create ZFS dataset zone/zonename: dataset already exists are informational. The zone uses the existing dataset.

   ---

   When the installation is complete, you are prompted for the name of the host. A name is supplied.

2. Accept the name of the host.

   The dialog box displays zone-name:installed above a list of tasks.

Troubleshooting

If warnings that are similar to the following are displayed: Installation of these packages generated errors: SUNWpkgname, read the install log and finish installing the packages.

Boot the Labeled Zone

Before You Begin

You are superuser in the global zone. The zone is installed, and has an assigned a network interface.

The Labeled Zone Manager dialog box is displayed with the subtitle zone-name:installed. To open this GUI, see Run the txzonemgr Script.

1. In the Labeled Zone manager, select Zone Console and click OK.

   A separate console window appears for the current labeled zone.

2. Select Boot.

   The Zone Terminal Console tracks the progress of booting the zone. If the zone is created from scratch, messages that are similar to the following appear in the console:

   [Connected to zone 'public' console] [NOTICE: Zone booting up] ... Hostname: zone-name Loading smf(5) service descriptions: number/total Creating new rsa public/private host key pair Creating new dsa public/private host key pair rebooting system due to change(s) in /etc/default/init [NOTICE: Zone rebooting]

   ---

   Caution –

   Do not perform other tasks while this task is completing.

   ---

   When the four default zones are configured and booted, the Labeled Zone Manager displays the zones as follows:

   

Troubleshooting

Sometimes, error messages are displayed and the zone does not reboot. In the Zone Terminal Console, press the Return key. If you are prompted to type y to reboot, type y and press the Return key. The zone reboots.

Next Steps

If this zone was copied or cloned from another zone, continue with Verify the Status of the Zone.

If this zone is the first zone, continue with Customize the Labeled Zone.

Verify the Status of the Zone

The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use the X server. Therefore, zone networking must work before a zone can be used. For background information, see Planning for Multilevel Access.

1. Verify that the zone has been completely started.

   1. In the zone-name: Zone Terminal Console, log in as root.

      hostname console login: root Password: Type root password

   2. In the Zone Terminal Console, verify that critical services are running.

      # svcs -xv svc:/application/print/server:default (LP print server) State: disabled since Tue Oct 10 10:10:10 2006 Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: lpsched(1M) ...

      The sendmail and print services are not critical services.

   3. Verify that the zone has a valid IP address.

      # ifconfig -a

      For example, the following output shows an IP address for the hme0 interface.

      # ... hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 all-zones inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255

   4. (Optional) Verify that the zone can communicate with the global zone.

      1. Set the DISPLAY variable to point to the X server

         # DISPLAY=global-zone-hostname:n.n # export DISPLAY

      2. From the terminal window, display a GUI.

         For example, display a clock.

         # /usr/openwin/bin/xclock

         If the clock at the label of the zone does not appear, the zone networking has not been configured correctly. For debugging suggestions, see Labeled Zone Is Unable to Access the X Server.

      3. Close the GUI before continuing.

2. From the global zone, check the status of the labeled zones.

   # zoneadm list -v ID NAME STATUS PATH BRAND IP 0 global running / native shared 3 internal running /zone/internal native shared 4 needtoknow running /zone/needtoknow native shared 5 restricted running /zone/restricted native shared

Next Steps

You have completed configuring the labeled zone. To add zone-specific network interfaces to the zones or to establish default routing per labeled zone, continue with Adding Network Interfaces and Routing to Labeled Zones. Otherwise, continue with Creating Roles and Users in Trusted Extensions.

Customize the Labeled Zone

If you are going to clone zones or copy zones, this procedure configures a zone to be a template for other zones. In addition, this procedure configures a zone that has not been created from a template for use.

Before You Begin

You are superuser in the global zone. You have completed Verify the Status of the Zone.

1. In the Zone Terminal Console, disable services that are unnecessary in a labeled zone.

   If you are copying or cloning this zone, the services that you disable are disabled in the new zones. The services that are online on your system depend on the service manifest for the zone. Use the netservices limited command to turn off services that labeled zones do not need.

   1. Remove many unnecessary services.

      # netservices limited

   2. List the remaining services.

      # svcs ... STATE STIME FMRI online 13:05:00 svc:/application/graphical-login/cde-login:default ...

   3. Disable graphical login.

      # svcadm disable svc:/application/graphical-login/cde-login # svcs cde-login STATE STIME FMRI disabled 13:06:22 svc:/application/graphical-login/cde-login:default

   For information about the service management framework, see the smf(5) man page.

2. In the Labeled Zone Manager, select Halt to halt the zone.

3. Before continuing, verify that the zone is shut down.

   In the zone-name: Zone Terminal Console, the following message indicates that the zone is shut down.

   [ NOTICE: Zone halted]

   If you are not copying or cloning this zone, create the remaining zones in the way that you created this first zone. Otherwise, continue with the next step.

4. If you are using this zone as a template for other zones, do the following:

   1. Remove the auto_home_zone-name file.

      In a terminal window in the global zone, remove this file from the zone-name zone.

      # cd /zone/zone-name/root/etc # ls auto_home* auto_home auto_home_zone-name # rm auto_home_zone-name

      For example, if the public zone is the template for cloning other zones, remove the auto_home_public file:

      # cd /zone/public/root/etc # rm auto_home_public

   2. If you plan to clone this zone, create the ZFS snapshot in the next step, then continue with Copy or Clone a Zone in Trusted Extensions.

   3. If you plan to copy this zone, complete Step 6, then continue with Copy or Clone a Zone in Trusted Extensions.

5. To create a zone template for cloning the remaining zones, select Create Snapshot and click OK.

   ---

   Caution –

   The zone for the snapshot must be in a ZFS file system. You created a ZFS file system for the zone in Create ZFS Pool for Cloning Zones.

   ---

6. To verify that the customized zone is still usable, select Boot from the Labeled Zone Manager.

   The Zone Terminal Console tracks the progress of booting the zone. Messages that are similar to the following appear in the console:

   [Connected to zone 'public' console] [NOTICE: Zone booting up] ... Hostname: zonename

   Press the Return key for a login prompt. You can log in as root.

Copy or Clone a Zone in Trusted Extensions

Before You Begin

You have completed Customize the Labeled Zone.

The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.

1. Create the zone.

   For details, see Name and Label the Zone.

2. Continue with your zone creation strategy by choosing one of the following methods:

   You will repeat these steps for every new zone.

   • Copy the zone that you just labeled.

     1. In the Labeled Zone Manager, select Copy and click OK.

     2. Select the zone template and click OK.

        A window displays the copying process. When the process completes, the zone is installed.

        If the Labeled Zone Manager displays zone-name:configured, continue with the next step. Otherwise, continue with Step e.

     3. Select the menu item Select another zone, and click OK.

     4. Select the newly installed zone and click OK.

     5. Complete Boot the Labeled Zone.

     6. Complete Verify the Status of the Zone.

   • Clone the zone that you just labeled.

     1. In the Labeled Zone Manager, select Clone and click OK.

     2. Select a ZFS snapshot from the list and click OK.

        For example, if you created a snapshot from public, select the zone/public@snapshot.

        When the cloning process completes, the zone is installed. Continue with Step c.

     3. Open a Zone Console and boot the zone.

        For instructions, see Boot the Labeled Zone.

     4. Complete Verify the Status of the Zone.

Next Steps

• When you have completed Verify the Status of the Zone for every zone, and you want each zone to be on a separate physical network, continue with Add a Network Interface to Route an Existing Labeled Zone.

• If you have not yet created roles, continue with Creating Roles and Users in Trusted Extensions.

• If you have already created roles, continue with Creating Home Directories in Trusted Extensions.

Adding Network Interfaces and Routing to Labeled Zones

The following tasks support environments where each zone is connected to a separate physical network.

Add a Network Interface to Route an Existing Labeled Zone

This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each labeled zone is connected to a separate physical network. The labeled zones use the network routing that the global zone provides.

The global zone must configure an IP address for every subnet in which a non-global zone address is configured.

Before You Begin

You are superuser in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones.

1. In the global zone, type the IP addresses and hostnames for the additional network interfaces into the /etc/hosts file.

   Use a standard naming convention, such as adding -zone-name to the name of the host.

   ## /etc/hosts in global zone 10.10.8.2 hostname-zone-name1 10.10.8.3 hostname-global-name1 10.10.9.2 hostname-zone-name2 10.10.9.3 hostname-global-name2

2. For the network for each interface, add entries to the /etc/netmasks file.

   ## /etc/netmasks in global zone 10.10.8.0 255.255.255.0 10.10.9.0 255.255.255.0

   For more information, see the netmasks(4) man page.

3. In the global zone, plumb the zone-specific physical interfaces.

   1. Identify the physical interfaces that are already plumbed.

      # ifconfig -a

   2. Configure the global zone addresses on each interface.

      # ifconfig interface-nameN1 plumb # ifconfig interface-nameN1 10.10.8.3 up # ifconfig interface-nameN2 plumb # ifconfig interface-nameN2 10.10.9.3 up

   3. For each global zone address, create a hostname.interface-nameN file.

      # /etc/hostname.interface-nameN1 10.10.8.3 # /etc/hostname.interface-nameN2 10.10.9.3

   The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.

4. Assign a security template to each zone-specific network interface.

   If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.

   You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

5. Halt every labeled zone to which you plan to add a zone-specific interface.

   # zoneadm -z zone-name halt

6. Start the Labeled Zone Manager.

   # /usr/sbin/txzonemgr

7. For each zone where you want to add a zone-specific interface, do the following:

   1. Select the zone.

   2. Select Add Network.

   3. Name the network interface.

   4. Type the IP address of the interface.

8. In the Labeled Zone Manager for every completed zone, select Zone Console.

9. Select Boot.

10. In the Zone Console, verify that the interfaces have been created.

    # ifconfig -a

11. Verify that the zone has a route to the gateway for the subnet.

    # netstat -rn

Troubleshooting

To debug zone configuration, see the following:

• Chapter 30, Troubleshooting Miscellaneous Solaris Zones Problems, in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones

• Troubleshooting Your Trusted Extensions Configuration

• Troubleshooting the Trusted Network (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

This procedure sets zone-specific default routes for existing labeled zones. In this configuration, the labeled zones do not use the global zone for routing.

The labeled zone must be plumbed in the global zone before the zone is booted. However, to isolate the labeled zone from the global zone, the interface must be in the down state when the zone is booted. For more information, see Chapter 17, Non-Global Zone Configuration (Overview), in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.

A unique default route must be configured for every non-global zone that is booted.

Before You Begin

You are superuser in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones. You are using either the vni0 interface or the lo0 interface to connect the labeled zones to the global zone.

1. For every network interface, determine its IP address, netmask, and default router.

   Use the ifconfig -a command to determine the IP address and netmask. Use the zonecfg -z zonename info net command to determine if a default router has been assigned.

2. Create an empty /etc/hostname.interface file for each labeled zone.

   # touch /etc/hostname.interface # touch /etc/hostname.interface:n

   For more information, see the netmasks(4) man page.

3. Plumb the network interfaces of the labeled zones.

   # ifconfig zone1-network-interface plumb # ifconfig zone2-network-interface plumb

4. Verify that the labeled zone's interfaces are in the down state.

   # ifconfig -a zone1-network-interface zone1-IP-address down zone2-network-interface zone2-IP-address down

   The zone-specific addresses are configured when the zone is booted.

5. For the network for each interface, add entries to the /etc/netmasks file.

   ## /etc/netmasks in global zone 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

   For more information, see the netmasks(4) man page.

6. Assign a security template to each zone-specific network interface.

   Create security templates of host type cipso that reflect the label of every network. To create and assign the templates, see Configuring Trusted Network Databases (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

7. Run the txzonemgr script, and open a separate terminal window.

   In the Labeled Zone Manager, you will add the network interfaces for the labeled zones. In the terminal window, you will display information about the zone and set the default router.

8. For every zone to which you are going to add a zone-specific network interface and router, complete the following steps:

   1. In the terminal window, halt the zone.

      # zoneadm -z zone-name halt

   2. In the Labeled Zone Manager, do the following:

      1. Select the zone.

      2. Select Add Network.

      3. Name the network interface.

      4. Type the IP address of the interface.

      5. In the terminal window, verify the zone configuration.

         # zonecfg -z zone-name info net net: address: IP-address physical: zone-network-interface defrouter not specified

   3. In the terminal window, configure the default router for the labeled zone's network.

      # zonecfg -z zone-name zonecfg:zone-name > select net address=IP-address zonecfg:zone-name:net> set defrouter=router-address zonecfg:zone-name:net> end zonecfg:zone-name > verify zonecfg:zone-name > commit zonecfg:zone-name > exit #

      For more information, see the zonecfg(1M) man page and How to Configure the Zone in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.

   4. Boot the labeled zone.

      # zoneadm -z zone-name boot

   5. In the global zone, verify that the labeled zone has a route to the gateway for the subnet.

      # netstat -rn

      A routing table is displayed. The destination and interface for the labeled zone is different from the entry for the global zone.

9. To remove the default route, select the zone's IP address, then remove the route.

   # zonecfg -z zone-name zonecfg:zone-name > select net address=zone-IP-address zonecfg:zone-name:net> remove net defrouter=zone-default-route zonecfg:zone-name:net> info net net: address: zone-IP-address physical: zone-network-interface defrouter not specified

Example 4–5 Setting a Default Route for a Labeled Zone

In this example, the administrator routes the Secret zone to a separate physical subnet. Traffic to and from the Secret zone is not routed through the global zone. The administrator uses the Labeled Zone Manager and the zonecfg command, then verifies that routing works.

The administrator determines that qfe1 and qfe1:0 are not currently in use. and creates a mapping for two labeled zones. qfe1 is the designated interface for the Secret zone.

Interface IP Address    Netmask        Default Router
qfe1     192.168.2.22 255.255.255.0 192.168.2.2
qfe1:0   192.168.3.33 255.255.255.0 192.168.3.3

First, the administrator creates the /etc/hostname.qfe1 file and configures the /etc/netmasks file.

# touch /etc/hostname.qfe1

# cat /etc/netmasks
## /etc/netmasks in global zone
192.168.2.0 255.255.255.0

Then, the administrator plumbs the network interface and verifies that the interface is down.

# ifconfig qfe1 plumb
# ifconfig -a

Then, in the Solaris Management Console, the administrator creates a security template with a single label, Secret, and assigns the IP address of the interface to the template.

The administrator halts the zone.

# zoneadm -z secret halt

The administrator runs the txzonemgr script to open the Labeled Zone Manager.

# /usr/sbin/txzonemgr

In the Labeled Zone Manager, the administrator selects the Secret zone, selects Add Network, and then selects a network interface. The administrator closes the Labeled Zone Manager.

On the command line, the administrator selects the zone's IP address, then sets its default route. Before exiting the command, the administrator verifies the route and commits it.

# zonecfg -z secret
zonecfg: secret > select net address=192.168.6.22 
zonecfg: secret:net> set defrouter=192.168.6.2 
zonecfg: secret:net> end 
zonecfg: secret > verify 
zonecfg: secret > commit 
zonecfg: secret > info net 
  net:
     address: 192.168.6.22
     physical: qfe1
     defrouter: 192.168.6.2
zonecfg: secret > exit 
#

The administrator boots the zone.

# zoneadm -z secret boot

In a separate terminal window in the global zone, the administrator verifies the sending and receiving of packets.

# netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use  Interface 
-------------------- -------------------- ----- ----- ------- --------- 
default              192.168.5.15         UG        1    2664 qfe0      
192.168.6.2          192.168.6.22         UG        1     240 qfe1      
192.168.3.3          192.168.3.33         U         1     183 qfe1:0    
127.0.0.1            127.0.0.1            UH        1     380 lo0       
...

Configure a Name Service Cache in Each Labeled Zone

This procedure enables you to separately configure a name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnetwork that runs at the label of the zone, and the subnetwork has its own name server for that label.

This configuration does not satisfy the criteria for an evaluated configuration. In an evaluated configuration, the nscd daemon runs only in the global zone. Doors in each labeled zone connect the zone to the global nscd daemon.

Before You Begin

You are superuser in the global zone. root must not yet be a role. You have successfully completed Add a Network Interface to Route an Existing Labeled Zone.

This configuration requires that you have advanced networking skills. If LDAP is your naming service, you are responsible for establishing the LDAP client connection to each labeled zone. The nscd daemon caches the name service information, but does not route it.

1. If you are using LDAP, verify a route to the LDAP server from the labeled zone.

   In a terminal window in every labeled zone, run the following command:

   zone-name # netstat -rn

2. In the global zone, start the Labeled Zone Manager.

   # /usr/sbin/txzonemgr

3. Select the Configure per-zone name service, and click OK.

   This option is intended to be used once, during initial system configuration.

4. Configure each zone's nscd service.

   For assistance, see the nscd(1M) and nscd.conf(4) man pages.

5. Reboot the system.

6. For every zone, verify the route and the name service daemon.

   1. In the Zone Console, list the nscd service.

      zone-name # svcs -x name-service-cache svc:/system/name-service-cache:default (name service cache) State: online since October 10, 2010 10:10:10 AM PDT See: nscd(1M) See: /etc/svc/volatile/system-name-service-cache:default.log Impact: None.

   2. Verify the route to the subnetwork.

      zone-name # netstat -rn

7. To remove the zone-specific name service daemons, do the following in the global zone:

   1. Open the Labeled Zone Manager.

   2. Select Unconfigure per-zone name service, and click OK.

      This selection removes the nscd daemon in every labeled zone.

   3. Reboot the system.

Creating Roles and Users in Trusted Extensions

If you are already using administrative roles, you might want to add a Security Administrator role. For sites that have not yet implemented roles, the procedure for creating them is similar to the procedure in the Solaris OS. Trusted Extensions adds the Security Administrator role and requires the use of the Solaris Management Console to administer a Trusted Extensions domain.

If site security requires two people to create user and role accounts, create custom rights profiles and assign them to roles to enforce separation of duty.

Create Rights Profiles That Enforce Separation of Duty

Skip this procedure if separation of duty is not a site security requirement. If your site requires separation of duty, you must create these rights profiles and roles before you populate the LDAP server.

This procedure creates rights profiles that have discrete capabilities to manage users. When you assign these profiles to distinct roles, two roles are required to create and configure users. One role can create users, but cannot assign security attributes. The other role can assign security attributes, but cannot create users. When you log in to the Solaris Management Console in a role that is assigned one of these profiles, only the appropriate tabs and fields are available to the role.

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role. When you start this procedure, the Solaris Management Console must be closed.

1. Create copies of the default rights profiles that affect user configuration.

   1. Copy the prof_attr file to the prof_attr.orig file.

   2. Open the prof_attr file in the trusted editor.

      # /usr/dt/bin/trusted_edit /etc/security/prof_attr

   3. Copy the three rights profiles and rename the copies.

      System Administrator:::Can perform most non-security... Custom System Administrator:::Can perform most non-security... User Security:::Manage passwords... Custom User Security:::Manage passwords... User Management:::Manage users, groups, home... Custom User Management:::Manage users, groups, home...

   4. Save the changes.

   5. Verify the changes.

      # grep ^Custom /etc/security/prof_attr Custom System Administrator:::Can perform most non-security... Custom User Management:::Manage users, groups, home... Custom User Security:::Manage passwords...

   Copying a rights profile rather than modifying it enables you to upgrade the system to a later Solaris release and retain your changes. Because these rights profiles are complex, modifying a copy of the default profile is less prone to error than building the more restrictive profile from scratch.

2. Start the Solaris Management Console.

   # /usr/sbin/smc &

3. Select the This Computer (this-host: Scope=Files, Policy=TSOL) toolbox.

4. Click System Configuration, then click Users.

   You are prompted for your password.

5. Type the appropriate password.

6. Double-click Rights.

7. Modify the Custom User Security rights profile.

   You restrict this profile from creating a user.

   1. Double-click Custom User Security.

   2. Click the Authorizations tab, then perform the following steps:

      1. From the Included list, remove the Manage Users and Roles authorization.

         The following User Accounts rights remain:

         Audit Controls Label and Clearance Range Change Password View Users and Roles Modify Extended Security Attributes

      2. Add the Manage Privileges right to the Included list.

   3. Click OK to save your changes.

8. Modify the Custom User Management profile.

   You restrict this profile from setting a password.

   1. Double-click Custom User Management.

   2. Click the Authorizations tab, then perform the following steps:

      1. Drag the scrollbar for the Included list to User Accounts.

      2. From the Included list, remove the Modify Extended Security Attributes authorization.

         The following User Accounts rights remain:

         Manage Users and Roles View Users and Roles

   3. Save your changes.

9. Modify the Custom System Administrator rights profile.

   The User Management profile is a supplementary profile in this profile. You prevent the system administrator from setting a password.

   1. Double-click Custom System Administrator.

   2. Click the Supplementary Rights tab, then perform the following steps:

      1. Remove the User Management rights profile.

      2. Add the Custom User Management rights profile.

      3. Move the Custom User Management rights profile above the All rights profile.

   3. Save your changes.

Next Steps

To prevent the default profiles from being used, see Step 7 in Verify That the Trusted Extensions Roles Work after you verify that the custom profiles enforce separation of duty.

Create the Security Administrator Role in Trusted Extensions

Role creation in Trusted Extensions is identical to role creation in the Solaris OS. However, in Trusted Extensions, a Security Administrator role is required. To create a local Security Administrator role, you can also use the command-line interface, as in Example 4–6.

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

To create the role on the network, you must have completed Configuring the Solaris Management Console for LDAP (Task Map).

1. Start the Solaris Management Console.

   # /usr/sbin/smc &

2. Select the appropriate toolbox.

   • To create the role locally, use This Computer (this-host: Scope=Files, Policy=TSOL).

   • To create the role in the LDAP service, use This Computer (ldap-server: Scope=LDAP, Policy=TSOL).

3. Click System Configuration, then click Users.

   You are prompted for your password.

4. Type the appropriate password.

5. Double-click Administrative Roles.

6. From the Action menu, choose Add Administrative Role.

7. Create the Security Administrator role.

   Use the following information as a guide:

   • Role name – secadmin

   • Full name – Security Administrator

   • Description – Site Security Officer No proprietary information here.

   • Role ID Number – ≥100

   • Role shell – Administrator's Bourne (profile shell)

   • Create a role mailing list – Leave the checkbox selected.

   • Password and confirm – Assign a password of at least 6 alphanumeric characters.

     The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

     ---

     Note –

     For all administrative roles, make the account Always Available, and do not set password expiration dates.

     ---

   • Available and Granted Rights – Information Security, User Security

     • If site security does not require separation of duty, select the Information Security and the default User Security rights profiles.

     • If site security requires separation of duty, select the Information Security and the Custom User Security rights profiles.

   • Home Directory Server – home-directory-server

   • Home Directory Path – /mount-path

   • Assign Users– This field is automatically filled in when you assign a role to a user.

8. After creating the role, check that the settings are correct.

   Select the role, then double-click it.

   Review the values in the following fields:

   • Available Groups – Add groups if required.

   • Trusted Extensions Attributes – Defaults are correct.

     For a single-label system where the labels must not be visible, choose Hide for Label: Show or Hide.

   • Audit Excluded and Included – Set audit flags only if the role's audit flags are exceptions to the system settings in the audit_control file.

9. To create other roles, use the Security Administrator role as a guide.

   For examples, see How to Create and Assign a Role by Using the GUI in System Administration Guide: Security Services. Give each role a unique ID, and assign to the role the correct rights profile. Possible roles include the following:

   • admin Role – System Administrator Granted Rights

   • primaryadmin Role – Primary Administrator Granted Rights

   • oper Role – Operator Granted Rights

Example 4–6 Using the roleadd Command to Create a Local Security Administrator Role

In this example, the root user adds the Security Administrator role to the local system by using the roleadd command. For details, see the roleadd(1M) man page. The root user consults Table 1–2 before creating the role. At this site, separation of duty is not required to create a user.

# roleadd -c "Local Security Administrator" -d /export/home1 \
-u 110 -P "Information Security,User Security" -K lock_after_retries=no \
-K idletime=5 -K idlecmd=lock -K labelview=showsl \
-K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH secadmin

The root user provides an initial password for the role.

# passwd -r files secadmin
New Password:        <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for secadmin
#

To assign the role to a local user, see Example 4–7.

Create a Restricted System Administrator Role

Skip this procedure if separation of duty is not a site security requirement.

In this procedure, you assign a more restrictive rights profile to the System Administrator role.

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

You have completed Create Rights Profiles That Enforce Separation of Duty. You are using the same toolbox that you used to create the rights profile.

1. In the Solaris Management Console, create the System Administrator role.

   For assistance, see Create the Security Administrator Role in Trusted Extensions.

2. Assign the Custom System Administrator rights profile to the role.

3. Save the changes.

4. Close the Solaris Management Console.

Create Users Who Can Assume Roles in Trusted Extensions

To create a local user, you can use the command-line interface, as in Example 4–7, instead of the following procedure. Where site security policy permits, you can choose to create a user who can assume more than one administrative role.

For secure user creation, the System Administrator role creates the user, and the Security Administrator role assigns security-relevant attributes, such as a password.

Before You Begin

You must be superuser, in the root role, in the Security Administrator role, or in the Primary Administrator role. The Security Administrator role has the least amount of privilege that is required for user creation.

The Solaris Management Console is displayed. For details, see Create the Security Administrator Role in Trusted Extensions.

1. Double-click User Accounts in the Solaris Management Console.

2. From the Action menu, choose Add User -> Use Wizard.

   ---

   Caution –

   The names and IDs of roles and users come from the same pool. Do not use existing names or IDs for the users that you add.

   ---

3. Follow the online help.

   You can also follow the procedures in How to Add a User With the Solaris Management Console’s Users Tool in System Administration Guide: Basic Administration.

4. After creating the user, double-click the created user to modify the settings.

   ---

   Note –

   For users who can assume roles, make the user account Always Available, and do not set password expiration dates.

   ---

   Ensure that the following fields are correctly set:

   • Description – No proprietary information here.

   • Password and confirm – Assign a password of at least 6 alphanumeric characters.

     ---

     Note –

     When the initial setup team chooses a password, the team must select a password that is difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.

     ---

   • Account Availability – Always Available.

   • Trusted Extensions Attributes – Defaults are correct.

     For a single-label system where the labels must not be visible, choose Hide for Label: Show or Hide.

   • Account Usage – Set Idle time and Idle action.

     Lock account – Set to No for any user who can assume a role.

5. Close the Solaris Management Console.

6. Customize the user's environment.

   1. Assign convenient authorizations.

      After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, you can enable users to allocate devices, print PostScript^TM files, print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations in Oracle Solaris Trusted Extensions Administrator’s Procedures.

   2. Customize user initialization files.

      See Chapter 7, Managing Users, Rights, and Roles in Trusted Extensions (Tasks), in Oracle Solaris Trusted Extensions Administrator’s Procedures.

      Also see Managing Users and Rights With the Solaris Management Console (Task Map) in Oracle Solaris Trusted Extensions Administrator’s Procedures.

   3. Create multilabel copy and link files.

      On a multilabel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files in Oracle Solaris Trusted Extensions Administrator’s Procedures.

Example 4–7 Using the useradd Command to Create a Local User

In this example, the root user creates a local user who can assume the Security Administrator role. For details, see the useradd(1M) and atohexlabel(1M) man pages.

First, the root user determines the hexadecimal format of the user's minimum label and clearance label.

# atohexlabel public
0x0002-08-08
# atohexlabel -c "confidential restricted"
0x0004-08-78

Next, the root user consults Table 1–2, and then creates the user.

# useradd -c "Local user for Security Admin" -d /export/home1 \
-K  idletime=10 -K idlecmd=logout -K lock_after_retries=no
-K min_label=0x0002-08-08 -K clearance=0x0004-08-78 -K labelview=showsl jandoe

Then, the root user provides an initial password.

# passwd -r files jandoe
New Password:    <Type password>
Re-enter new Password: <Retype password>
passwd: password successfully changed for jandoe
#

Finally, the root user adds the Security Administrator role to the user's definition. The role was created in Create the Security Administrator Role in Trusted Extensions.

# usermod -R secadmin jandoe

Verify That the Trusted Extensions Roles Work

To verify each role, assume the role. Then, perform tasks that only that role can perform.

Before You Begin

If you have configured DNS or routing, you must reboot after you create the roles and before you verify that the roles work.

1. For each role, log in as a user who can assume the role.

2. Open the Trusted Path menu.

   • In Trusted CDE, click the workspace switch area.

     

     From the menu, assume the role.

   • In Trusted JDS, click your user name in the trusted stripe.

     In the following trusted stripe, the user name is tester.

     

     From the list of roles that are assigned to you, select a role.

3. In the role workspace, start the Solaris Management Console.

   $ /usr/sbin/smc &

4. Select the appropriate scope for the role that you are testing.

5. Click System Services, and navigate to Users.

   You are prompted for a password.

   1. Type the role password.

   2. Double-click User Accounts.

6. Click a user.

   • The System Administrator role should be able to modify fields under the General, Home Directory, and Group tabs.

     If you configured the roles to enforce separation of duty, then the System Administrator role cannot set the user's initial password.

   • The Security Administrator role should be able to modify fields under all tabs.

     If you configured the roles to enforce separation of duty, then the Security Administrator role cannot create a user.

   • The Primary Administrator role should be able to modify fields under all tabs.

7. (Optional) If you are enforcing separation of duty, prevent the default rights profiles from being used.

   ---

   Note –

   When the system is upgraded to a newer version of the Solaris OS, the System Administrator, User Management, and User Security default profiles are replaced.

   ---

   In the trusted editor, perform one of the following steps:

   • Remove the three rights profiles from the prof_attr file.

     Removal prevents an administrator from viewing or assigning these profiles. Also, remove the prof_attr.orig file.

   • Comment out the three rights profiles in the prof_attr file.

     Commenting out the rights profiles prevents these profiles from being viewed in the Solaris Management Console or from being used in commands that manage users. The profiles and their contents can still be viewed in the prof_attr file.

   • Type a different description for the three rights profiles in the prof_attr file.

     Edit the prof_attr file to change the description field of these rights profiles. For example, you might replace the descriptions with Do not use this profile. This change warns an administrator to not use the profile, but does not prevent the profile from being used.

Enable Users to Log In to a Labeled Zone

When the host is rebooted, the association between the devices and the underlying storage must be re-established.

Before You Begin

You have created at least one labeled zone. That zone is not being used for cloning.

1. Reboot the system.

2. Log in as the root user.

3. Restart the zones service.

   # svcs zones STATE STIME FMRI offline - svc:/system/zones:default

   # svcadm restart svc:/system/zones:default

4. Log out.

   Regular users can now log in. Their session is in a labeled zone.

Creating Home Directories in Trusted Extensions

In Trusted Extensions, users need access to their home directories at every label at which the users work. To make every home directory available to the user requires that you create a multilevel home directory server, run the automounter on the server, and export the home directories. On the client side, you can run scripts to find the home directory for every zone for each user, or you can have the user log in to the home directory server.

Create the Home Directory Server in Trusted Extensions

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

1. Install and configure the home directory server with Trusted Extensions software.

   • If you are cloning zones, make sure that you use a Solaris ZFS snapshot that has empty home directories.

   • Because users require a home directory at every label that they they can log in to, create every zone that a user can log in to. For example, if you use the default label_encodings file, you would create a zone for the PUBLIC label.

2. If you are using UFS and not Solaris ZFS, enable the NFS server to serve itself.

   1. In the global zone, modify the automount entry in the nsswitch.conf file.

      Use the trusted editor to edit the /etc/nsswitch.conf file. For the procedure, see How to Edit Administrative Files in Trusted Extensions in Oracle Solaris Trusted Extensions Administrator’s Procedures.

      automount: files

   2. In the global zone, run the automount command.

3. For every labeled zone, follow the automount procedure in How to NFS Mount Files in a Labeled Zone in Oracle Solaris Trusted Extensions Administrator’s Procedures. Then, return to this procedure.

4. Verify that the home directories have been created.

   1. Log out of the home directory server.

   2. As a regular user, log in to the home directory server.

   3. In the login zone, open a terminal.

   4. In the terminal window, verify that the user's home directory exists.

   5. Create workspaces for every zone that the user can work in.

   6. In each zone, open a terminal window to verify that the user's home directory exists.

5. Log out of the home directory server.

Enable Users to Access Their Home Directories in Trusted Extensions

Users can initially log in to the home directory server to create a home directory that can be shared with other systems. To create a home directory at every label, each user must log in to the home directory server at every label.

Alternatively, you, as administrator, can create a script to create a mount point for home directories on each user's home system before the user first logs in. The script creates mount points at every label at which the user is permitted to work.

Before You Begin

The home directory server for your Trusted Extensions domain is configured.

1. Choose whether to allow direct login to the server, or whether to run a script.

   • Enable users to log in directly to the home directory server.

     1. Instruct each user to log in to the home directory server.

        After successful login, the user must log out.

     2. Instruct each user to log in again, and this time, to choose a different login label.

        The user uses the label builder to choose a different login label. After successful login, the user must log out.

     3. Instruct each user to repeat the login process for every label that the user is permitted to use.

     4. Instruct the users to log in from their regular workstation.

        Their home directory for their default label is available. When a user changes the label of a session or adds a workspace at a different label, the user's home directory for that label is mounted.

   • Write a script that creates a home directory mount point for every user, and run the script.

     #!/bin/sh # for zoneroot in `/usr/sbin/zoneadm list -p | cut -d ":" -f4` ; do if [ $zoneroot != / ]; then prefix=$zoneroot/root/export for j in `getent passwd|tr ' ' _` ; do uid=`echo $j|cut -d ":" -f3` if [ $uid -ge 100 ]; then gid=`echo $j|cut -d ":" -f4` homedir=`echo $j|cut -d ":" -f6` mkdir -m 711 -p $prefix$homedir chown $uid:$gid $prefix$homedir fi done fi done

     1. From the global zone, run this script on the NFS server.

     2. Then, run this script on every multilevel desktop that the user is going to log in to.

Adding Users and Hosts to an Existing Trusted Network

If you have users who are defined in NIS maps, you can add them to your network.

To add hosts and labels to hosts, see the following procedures:

• To add a host, you use the Computers and Networks tool set in the Solaris Management Console. For details, see How to Add Hosts to the System’s Known Network in Oracle Solaris Trusted Extensions Administrator’s Procedures.

  When you add a host to the LDAP server, add all IP addresses that are associated with the host. All-zones addresses, including addresses for labeled zones, must be added to the LDAP server.

• To label a host, see How to Assign a Security Template to a Host or a Group of Hosts in Oracle Solaris Trusted Extensions Administrator’s Procedures.

Add an NIS User to the LDAP Server

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

1. From the NIS database, gather the information that you need.

   1. Create a file from the user's entry in the aliases database.

      % ypcat -k aliases | grep login-name > aliases.name

   2. Create a file from the user's entry in the passwd database.

      % ypcat -k passwd | grep "Full Name" > passwd.name

   3. Create a file from the user's entry in the auto_home_ database.

      % ypcat -k auto_home | grep login-name > auto_home_label

2. Reformat the information for LDAP and Trusted Extensions.

   1. Use the sed command to reformat the aliases entry.

      % sed 's/ /:/g' aliases.login-name > aliases

   2. Use the nawk command to reformat the passwd entry.

      % nawk -F: '{print $1":x:"$3":"$4":"$5":"$6":"$7}' passwd.name > passwd

   3. Use the nawk command to create a shadow entry.

      % nawk -F: '{print $1":"$2":6445::::::"}' passwd.name > shadow

   4. Use the nawk command to create a user_attr entry.

      % nawk -F: '{print $1"::::lock_after_retries=yes-or-no;profiles=user-profile, ...; labelview=int-or-ext,show-or-hide;min_label=min-label; clearance=max-label;type=normal;roles=role-name,...; auths=auth-name,..."}' passwd.name > user_attr

3. Copy the modified files to the /tmp directory on the LDAP server.

   # cp aliases auto_home_internal passwd shadow user_attr /tmp/name

4. Add the entries in the files in Step 3 to the databases on the LDAP server.

   # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \ -a simple -f /tmp/name/aliases aliases # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \ -a simple -f /tmp/name/auto_home_internal auto_home_internal # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \ -a simple -f /tmp/name/passwd passwd # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \ -a simple -f /tmp/name/shadow shadow # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \ -a simple -f /tmp/name/user_attr user_attr

Example 4–8 Adding a User From an NIS Database to the LDAP Server

In the following example, the administrator adds a new user to the trusted network. The user's information is stored originally in an NIS database. To protect the LDAP server password, the administrator runs the ldapaddent commands on the server.

In Trusted Extensions, the new user can allocate devices and assume the Operator role. Because the user can assume a role, the user account does not get locked out. The user's minimum label is PUBLIC. The label at which the user works is INTERNAL, so jan is added to the auto_home_internal database. The auto_home_internal database automounts jan's home directory with read-write permissions.

• On the LDAP server, the administrator extracts user information from NIS databases.

  # ypcat -k aliases | grep jan.doe > aliases.jan # ypcat passwd | grep "Jan Doe" > passwd.jan # ypcat -k auto_home | grep jan.doe > auto_home_internal

• Then, the administrator reformats the entries for LDAP.

  # sed 's/ /:/g' aliases.jan > aliases # nawk -F: '{print $1":x:"$3":"$4":"$5":"$6":"$7}' passwd.jan > passwd # nawk -F: '{print $1":"$2":6445::::::"}' passwd.jan > shadow

• Then, the administrator creates a user_attr entry for Trusted Extensions.

  # nawk -F: '{print $1"::::lock_after_retries=no;profiles=Media User; labelview=internal,showsl;min_label=0x0002-08-08; clearance=0x0004-08-78;type=normal;roles=oper; auths=solaris.device.allocate"}' passwd.jan > user_attr

• Then, the administrator copies the files to the /tmp/jan directory.

  # cp aliases auto_home_internal passwd shadow user_attr /tmp/jan

• Finally, the administrator populates the server with the files in the /tmp/jan directory.

  # /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \ -a simple -f /tmp/jan/aliases aliases # /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \ -a simple -f /tmp/jan/auto_home_internal auto_home_internal # /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \ -a simple -f /tmp/jan/passwd passwd # /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \ -a simple -f /tmp/jan/shadow shadow # /usr/sbin/ldapaddent -D "cn=directory manager" -w a2b3c4d5e6 \ -a simple -f /tmp/jan/user_attr user_attr

Troubleshooting Your Trusted Extensions Configuration

In Trusted Extensions, the labeled zones communicate with the X server through the global zone. Therefore, the labeled zones must have usable routes to the global zone. Also, options that were selected during a Solaris installation can prevent Trusted Extensions from using interfaces to the global zone.

netservices limited Was Run After Trusted Extensions Was Enabled

Description:

Instead of running the netservices limited command before you enabled Trusted Extensions, you ran the command in the global zone afterwards. Therefore, your labeled zones are unable to connect to the X server in the global zone.

Solution:

Run the following commands to open the services that Trusted Extensions requires to communicate between zones:

# svccfg -s x11-server setprop options/tcp_listen = true # svcadm enable svc:/network/rpc/rstat:default

Cannot Open the Console Window in a Labeled Zone

Description:

When you attempt to open a console window in a labeled zone, the following error appears in a dialog box:

Action:DttermConsole,*,*,*,0 [Error] Action not authorized.

Solution:

Verify that the following two lines are present in each of the zone entries in the /etc/security/exec_attr file:

All Actions:solaris:act:::*;*;*;*;*: All:solaris:act:::*;*;*;*;*:

If these lines are not present, the Trusted Extensions package that adds these entries was not installed in the labeled zones. In this case, re-create the labeled zones. For the procedure, see Creating Labeled Zones.

Labeled Zone Is Unable to Access the X Server

Description:

If a labeled zone cannot successfully access the X server, you might see messages such as the following:

• Action failed. Reconnect to Solaris Zone?

• No route available

• Cannot reach globalzone-hostname:0

Cause:

The labeled zones might not be able to access the X server for any of the following reasons:

• The zone is not initialized and is waiting for the sysidcfg process to complete.

• The labeled zone's host name is not recognized by the naming service that runs in the global zone.

• No interface is specified as all-zones.

• The labeled zone's network interface is down.

• LDAP name lookups fail.

• NFS mounts do not work.

Steps toward a solution:

Do the following:

1. Log in to the zone.

   You can use the zlogin command or the Zone Terminal Console action.

   # zlogin -z zone-name

   If you cannot log in as superuser, use the zlogin -S command to bypass authentication.

2. Verify that the zone is running.

   # zoneadm list

   If a zone has a status of running, the zone is running at least one process.

3. Address any problems that prevent the labeled zones from accessing the X server.

   • Initialize the zone by completing the sysidcfg process.

     Run the sysidcfg program interactively. Answer the prompts in the Zone Terminal Console, or in the terminal window where you ran the zlogin command.

     To run the sysidcfg process noninteractively, you can do one of the following:

     • Specify the Initialize item for the /usr/sbin/txzonemgr script.

       The Initialize item enables you to supply default values to the sysidcfg questions.

     • Write your own sysidcfg script.

       For more information, see the sysidcfg(4) man page.

   • Verify that the X server is available to the zone.

     Log in to the labeled zone. Set the DISPLAY variable to point to the X server, and open a window.

     # DISPLAY=global-zone-hostname:n.n # export DISPLAY # /usr/openwin/bin/xclock

     If a labeled window does not appear, the zone networking has not been configured correctly for that labeled zone.

     ---

     Note –

     If you are running Trusted CDE starting with the Solaris 10 5/09 release, see Resolve Local Zone to Global Zone Routing in Trusted CDE.

     ---

   • Configure the zone's host name with the naming service.

     The zone's local /etc/hosts file is not used. Instead, equivalent information must be specified in the global zone or on the LDAP server. The information must include the IP address of the host name that is assigned to the zone.

   • No interface is specified as all-zones.

     Unless all your zones have IP addresses on the same subnet as the global zone, you might need to configure an all-zones (shared) interface. This configuration enables a labeled zone to connect to the X server of the global zone. If you want to restrict remote connections to the X server of the global zone, you can use vni0 as the all-zones address.

     If you do not want an all-zones interface configured, you must provide a route to the global zone X server for each zone. These routes must be configured in the global zone.

   • The labeled zone's network interface is down.

     # ifconfig -a

     Use the ifconfig command to verify that the labeled zone's network interface is both UP and RUNNING.

   • LDAP name lookups fail.

     Use the ldaplist command to verify that each zone can communicate with the LDAP server or the LDAP proxy server. On the LDAP server, verify that the zone is listed in the tnrhdb database.

   • NFS mounts do not work.

     As superuser, restart automount in the zone. Or, add a crontab entry to run the automount command every five minutes.

Additional Trusted Extensions Configuration Tasks

The following two tasks enable you to transfer exact copies of configuration files to every Trusted Extensions system at your site. The final task enables you to remove Trusted Extensions customizations from a Solaris system.

How to Copy Files to Portable Media in Trusted Extensions

When copying to portable media, label the media with the sensitivity label of the information.

During Trusted Extensions configuration, superuser or an equivalent role copies administrative files to and from portable media. Label the media with Trusted Path.

Before You Begin

To copy administrative files, you must be superuser or in a role in the global zone.

1. Allocate the appropriate device.

   Use the Device Allocation Manager, and insert clean media.  For details, see How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.

   • In Solaris Trusted Extensions (CDE), a File Manager displays the contents of the portable media.

   • In Solaris Trusted Extensions (JDS), a File Browser displays the contents.

   In this procedure, File Browser is used to refer to this GUI.

2. Open a second File Browser.

3. Navigate to the folder that contains the files to be copied

   For example, you might have copied files to an /export/clientfiles folder.

4. For each file, do the following:

   1. Highlight the icon for the file.

   2. Drag the file to the File Browser for the portable media.

5. Deallocate the device.

   For details, see How to Deallocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.

6. On the File Browser for the portable media, choose Eject from the File menu.

   ---

   Note –

   Remember to physically affix a label to the media with the sensitivity label of the copied files.

   ---

Example 4–9 Keeping Configuration Files Identical on All Systems

The system administrator wants to ensure that every machine is configured with the same settings. So, on the first machine that is configured, she creates a directory that cannot be deleted between reboots. In that directory, the administrator places the files that should be identical or very similar on all systems.

For example, she copies the Trusted Extensions toolbox that the Solaris Management Console uses for the LDAP scope, /var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx. She has customized remote host templates in the tnrhtp file, has a list of DNS servers, and audit configuration files. She also modified the policy.conf file for her site. So, she copies the files to the permanent directory.

# mkdir /export/commonfiles
# cp  /etc/security/policy.conf \
/etc/security/audit_control \
/etc/security/audit_startup \
/etc/security/tsol/tnrhtp \
/etc/resolv.conf \
/etc/nsswitch.conf \
/export/commonfiles

She uses the Device Allocation Manager to allocate a diskette in the global zone, and transfers the files to the diskette. On a separate diskette, labeled ADMIN_HIGH, she puts the label_encodings file for the site.

When she copies the files onto a system, she modifies the dir: entries in the /etc/security/audit_control file for that system.

How to Copy Files From Portable Media in Trusted Extensions

It is safe practice to rename the original Trusted Extensions file before replacing the file. When configuring a system, the root role renames and copies administrative files.

Before You Begin

To copy administrative files, you must be superuser or in a role in the global zone.

1. Allocate the appropriate device.

   For details, see How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.

   • In Solaris Trusted Extensions (CDE), a File Manager displays the contents of the portable media.

   • In Solaris Trusted Extensions (JDS), a File Browser displays the contents.

   In this procedure, File Browser is used to refer to this GUI.

2. Insert the media that contains the administrative files.

3. If the system has a file of the same name, copy the original file to a new name.

   For example, add .orig to the end of the original file:

   # cp /etc/security/tsol/tnrhtp /etc/security/tsol/tnrhtp.orig

4. Open a File Browser.

5. Navigate to the desired destination directory, such as /etc/security/tsol

6. For each file that you want to copy, do the following:

   1. In the File Browser for the mounted media, highlight the icon for the file.

   2. Then, drag the file to the destination directory in the second File Browser.

7. Deallocate the device.

   For details, see How to Deallocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.

8. When prompted, eject and remove the media.

Example 4–10 Loading Audit Configuration Files in Trusted Extensions

In this example, roles are not yet configured on the system. The root user needs to copy configuration files to portable media. The contents of the media will then be copied to other systems. These files are to be copied to each system that is configured with Trusted Extensions software.

The root user allocates the floppy_0 device in the Device Allocation Manager and responds yes to the mount query. Then, the root user inserts the diskette with the configuration files and copies them to the disk. The diskette is labeled Trusted Path.

To read from the media, the root user allocates the device on the receiving host, then downloads the contents.

If the configuration files are on a tape, the root user allocates the mag_0 device. If the configuration files are on a CD-ROM, the root user allocates the cdrom_0 device.

How to Remove Trusted Extensions From the System

To remove Trusted Extensions from your Solaris system, you perform specific steps to remove Trusted Extensions customizations to the Solaris system.

1. As in the Solaris OS, archive any data in the labeled zones that you want to keep.

2. Remove the labeled zones from the system.

   For details, see How to Remove a Non-Global Zone in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.

3. Disable the Trusted Extensions service.

   # svcadm disable labeld

4. Run the bsmunconv command.

   For the effect of this command, see the bsmunconv(1M) man page.

5. (Optional) Reboot the system.

6. Configure the system.

   Various services might need to be configured for your Solaris system. Candidates include auditing, basic networking, naming services, and file system mounts.