Solaris Trusted Extensions Transition Guide

Zones in Trusted Extensions

Trusted Extensions uses zones for labeling. The global zone is an administrative zone, so is not available to users. The global zone is multilevel. The networking label of the global zone is ADMIN_LOW, but its process label is ADMIN_HIGH. Files that are private to the global zone are also labeled ADMIN_HIGH. Files that are shared with all zones are labeled ADMIN_LOW.

Each non-global zone has a unique label. Non-global zones are called labeled zones. Labeled zones are available to ordinary users. The global zone is available to roles only.

The Trusted Extensions policy for zones is different from Solaris policy. Trusted Extensions does not require a separate IP address per zone. However, all zones must have a single naming service. A single naming service provides all zones with a single set of users, UIDs, and GIDs.

Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. The /export directory of a zone can be read by any zone whose label dominates the label of the /export directory.

Only system processes and roles are allowed to execute in the global zone. In certain cases, privileged processes in the global zone can be exempt from aspects of MAC policy. For example, system processes and roles that have the file_dac_search privilege and the file_dac_read privilege can access files which belong to labeled zones.