JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Configuration and Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

Sharing and Mounting Files in Trusted Extensions

NFS Mounts in Trusted Extensions

Sharing Files From a Labeled Zone

Access to NFS Mounted Directories in Trusted Extensions

Home Directory Creation in Trusted Extensions

Changes to the Automounter in Trusted Extensions

Trusted Extensions Software and NFS Protocol Versions

Mounting Labeled ZFS Datasets

Backing Up, Sharing, and Mounting Labeled Files (Task Map)

How to Back Up Files in Trusted Extensions

How to Restore Files in Trusted Extensions

How to Share Directories From a Labeled Zone

How to NFS Mount Files in a Labeled Zone

How to Troubleshoot Mount Failures in Trusted Extensions

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Backing Up, Sharing, and Mounting Labeled Files (Task Map)

The following task map describes common tasks that are used to back up and restore data from labeled file systems, and to share and mount directories and files that are labeled.

Task
Description
For Instructions
Back up files.
Protects your data by backing it up.
Restore data.
Restores data from a backup.
Share the contents of a directory from a labeled zone.
Allows the contents of a labeled directory to be shared among users.
Mount the contents of a directory that was shared by a labeled zone.
Allows the contents of a directory to be mounted in a zone at the same label for read/write. When a higher-level zone mounts the shared directory, the directory is mounted read-only.
Create home directory mount points.
Creates mount points for every user at every label. This task enables users to access their home directory on a system that is not the NFS home directory server.
Hide lower-level information from a user who is working at a higher label.
Prevent the viewing of lower-level information from a higher-level window.
Troubleshoot file system mounting problems.
Resolve problems with mounting a file system.

How to Back Up Files in Trusted Extensions

  1. Assume the Operator role.

    This role includes the Media Backup rights profile.

  2. Use one of the following backup methods:
    • /usr/lib/fs/ufs/ufsdump for major backups

    • /usr/sbin/tar cT for small backups

    • A script calling either of these commands

      For example, the Budtool backup application calls the ufsdump command. See the ufsdump(1M) man page. For details on the T option to the tar command, see the tar(1) man page.

How to Restore Files in Trusted Extensions

  1. Assume the System Administrator role.

    This role includes the Media Restore rights profile.

  2. Use one of the following methods:
    • /usr/lib/fs/ufs/ufsrestore for major restores

    • /usr/sbin/tar xT for small restores

    • A script calling either of these commands

    For details on the T option to the tar command, see the tar(1) man page.


    Caution

    Caution - Only these commands preserve labels.


How to Share Directories From a Labeled Zone


Note - This procedure and examples are for UFS file systems.


To mount or share directories that originate in labeled zones, create a dfstab file at the label of the zone, and then restart the zone to share the labeled directories.


Caution

Caution - Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.


Before You Begin

You must be superuser, or in the System Administrator role in the global zone on the file server.

  1. Create a workspace at the label of the directory that is going to be shared.

    For details, see How to Add a Workspace at Your Minimum Label in Oracle Solaris Trusted Extensions User Guide.

  2. Create a dfstab file in at the label of that zone.

    For each zone that will share a directory, repeat the following steps:

    1. Create the /etc/dfs directory in the zone.
      # mkdir -p /zone/zone-name/etc/dfs
    2. In an editor, open the dfstab file by typing the full pathname.
      # vi /zone/zone-name/etc/dfs/dfstab
    3. Add an entry to share a directory from that zone.

      The entry describes the directory from the perspective of the zone root path. For example, the following entry shares an application's files at the label of the containing zone:

      share -F nfs -o ro /viewdir/viewfiles
  3. For each zone, share the directories by starting the zone.

    In the global zone, run one of the following commands for each zone. Each zone can share its directories in any of these ways. The actual sharing occurs when each zone is brought into the ready or running state.

    • If the zone is not in the running state and you do not want users to log in to the server at the label of the zone, set the zone state to ready.
      # zoneadm -z zone-name ready
    • If the zone is not in the running state and users are allowed to log in to the server at the label of the zone, boot the zone.
      # zoneadm -z zone-name boot
    • If the zone is already running, reboot the zone.
      # zoneadm -z zone-name reboot
  4. Display the directories that are shared from your system.
    # showmount -e
  5. To enable the client to mount the exported files, see How to NFS Mount Files in a Labeled Zone.

Example 17-2 Sharing the /export/share Directory at the PUBLIC Label

For applications that run at the label PUBLIC, the system administrator enables users to read the documentation in the /export/share directory of the public zone. The zone named public runs at the label PUBLIC.

First, the administrator creates a public workspace and edits the dfstab file.

# mkdir -p /zone/public/etc/dfs
# vi /zone/public/etc/dfs/dfstab

In the file, the administrator adds the following entry:

## Sharing PUBLIC user manuals
share -F nfs -o ro /export/appdocs

The administrator leaves the public workspace and returns to the Trusted Path workspace. Because users are not allowed to log in to this system, the administrator shares the files by putting the zone in the ready state:

# zoneadm -z public ready

Users can access the shared directories once the directories are mounted on the users' systems.

How to NFS Mount Files in a Labeled Zone


Note - This procedure and examples are for UFS file systems.


In Trusted Extensions, a labeled zone manages the mounting of files in its zone.

Files from unlabeled and labeled hosts can be mounted on a Trusted Extensions labeled host.

Trusted Extensions uses the same mounting interfaces as the Oracle Solaris OS:

Before You Begin

You must be on the client system, in the zone at the label of the files that you want to mount. Unless you are using the automounter, you must be superuser, or be in the System Administrator role. To mount from lower-level servers, the zone must be configured with the net_mac_aware privilege.

Example 17-3 Mounting Files in a Labeled Zone by Using the mount Command

In this example, the system administrator mounts a remote file system from a public zone. The public zone is on a multilevel server.

After assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In that workspace, the administrator runs the mount command.

# zonename
public
# mount -F nfs remote-sys:/zone/public/root/opt/docs /opt/docs

A single-label file server at the label PUBLIC also contains documents to be mounted:

# mount -F nfs public-sys:/publicdocs /opt/publicdocs

When the public zone of the remote-sys file server is in the ready or running state, the remote-sys files successfully mount on this system. When the public-sys file server is running, the files successfully mount.

Example 17-4 Mounting Files Read/Write in a Labeled Zone by Modifying the vfstab File

In this example, the system administrator mounts two remote file systems at the label PUBLIC in the local system's public zone when the public zone boots. One file system mount is from a multilevel system, and one file system mount is from a single-label system.

After assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In that workspace, the administrator modifies the vfstab file in that zone.

## Writable books directories at PUBLIC
remote-sys:/zone/public/root/opt/docs  - /opt/docs  nfs  no  yes  rw
public-sys:/publicdocs    - /opt/publicdocs  nfs no yes rw

To access the files in the remote labeled zone of the multilevel system, the vfstab entry uses the zone root path of the remote system's public zone, /zone/public/root, as the directory pathname to the directories to mount. The path to the single-label system is identical to the path that would be used on an Oracle Solaris system.

In a terminal window at the label PUBLIC, the administrator mounts the files.

# mountall

Example 17-5 Mounting Lower-Level Files in a Labeled Zone by Modifying the vfstab File

In this example, the system administrator mounts a remote file system from a public zone in the local system's internal zone. After assuming the System Administrator role, the administrator creates a workspace at the label INTERNAL, then modifies the vfstab file in that zone.

## Readable books directory at PUBLIC
## ro entry indicates that PUBLIC docs can never be mounted rw in internal zone
remote-sys:/zone/public/root/opt/docs  - /opt/docs  nfs  no  yes  ro

To access the files in the remote labeled zone, the vfstab entry uses the zone root path of the remote system's public zone, /zone/public/root, as the directory pathname to the directories to mount.

From the perspective of a user in the internal zone, the files can be accessed at /opt/docs.

In a terminal window at the label INTERNAL, the administrator mounts the files.

# mountall

Example 17-6 Mounting a Lower-Level Home Directory on a System That Is Administered by Using Files

In this example, the system administrator enables users to access their home directories at every label. The labels at the site are PUBLIC, INTERNAL, and NEEDTOKNOW. This site uses two home directory servers, and is administered by using files. The second server contains the home directories for the users jdoe and pkai.

To accomplish this task, the system administrator defines the public zone NFS home directories in the public zone, and shares this configuration with the internal and needtoknow zones.

First, after assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In this workspace, the administrator creates a new file, /export/home/auto_home_public. This file contains all the customized per-user NFS specification entries.

## /export/home/auto_home_public file at PUBLIC label
jdoe homedir2-server:/export/home/jdoe
pkai homedir2-server:/export/home/pkai
* homedir-server:/export/home/&

Second, the administrator modifies the /etc/auto_home_public file to point to this new file.

## /etc/auto_home_public file in the public zone
## Use /export/home/auto_home_public for the user entries
## +auto_home_public
+ /export/home/auto_home_public

This entry directs the automounter to use the contents of the local file.

Third, the administrator similarly modifies the /etc/auto_home_public file in the internal and needtoknow zones. The administrator uses the pathname to the public zone that is visible to the internal and needtoknow zones.

## /etc/auto_home_public file in the internal zone
## Use /zone/public/export/home/auto_home_public for PUBLIC user home dirs
## +auto_home_public
+ /zone/public/export/home/auto_home_public
## /etc/auto_home_public file in the needtoknow zone
## Use /zone/public/export/home/auto_home_public for PUBLIC user home dirs
## +auto_home_public
+ /zone/public/export/home/auto_home_public

When the administrator adds the new user ikuk, the addition is made to the /export/home/auto_home_public file at the PUBLIC label.

## /export/home/auto_home_public file at PUBLIC label
jdoe   homedir2-server:/export/home/jdoe
pkai   homedir2-server:/export/home/pkai
ikuk homedir2-server:/export/home/ikuk
*      homedir-server:/export/home/&

The higher-level zones read down to obtain the per-user home directories from the lower-level public zone.

How to Troubleshoot Mount Failures in Trusted Extensions

Before You Begin

You must be in the zone at the label of the files that you want to mount. You must be the superuser, or in the System Administrator role.

  1. Check the security attributes of the NFS server.
    1. Locate the IP address of the server or a range of IP addresses that includes the NFS server in the tnrhdb database.

      The address might be directly assigned, or indirectly assigned through a wildcard mechanism. The address can be in a labeled template, or in an unlabeled template.

    2. Check the label that the template assigns to the NFS server.

      The label must be consistent with the label at which you are trying to mount the files.

  2. Check the label of the current zone.

    If the label is higher than the label of the mounted file system, then you cannot write to the mount even if the remote file system is exported with read/write permissions. You can only write to the mounted file system at the label of the mount.

  3. To mount file systems from an NFS server that is running earlier versions of Trusted Solaris software, do the following:
    • For a Trusted Solaris 1 NFS server, use the vers=2 and proto=udp options to the mount command.
    • For a Trusted Solaris 2.5.1 NFS server, use the vers=2 and proto=udp options to the mount command.
    • For a Trusted Solaris 8 NFS server, use the vers=3 and proto=udp options to the mount command.

    To mount file systems from any of these servers, the server must be assigned to an unlabeled template.