Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone and Logging In to Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Reboot and Log In to Trusted Extensions
Create a Default Trusted Extensions System
Create Labeled Zones Interactively
Assign Labels to Two Zone Workspaces
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Configure a Name Service Cache in Each Labeled Zone
Creating Roles and Users in Trusted Extensions
Create the Security Administrator Role in Trusted Extensions
Create a System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Verify That the Trusted Extensions Roles Work
Enable Users to Log In to a Labeled Zone
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Troubleshooting Your Trusted Extensions Configuration
Labeled Zone Is Unable to Access the X Server
Public Zone Does Not Connect to Global Zone
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
How to Copy Files From Portable Media in Trusted Extensions
How to Remove Trusted Extensions From the System
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The instructions in this section configure labeled zones on a system that has been assigned at most two IP addresses. For other configurations, see the configuration options in Planning for Multilevel Access.
This task map describes and links to the tasks that configure labeled zones.
|
This procedure creates a working Trusted Extensions system with two labeled zones. The system is not networked to another system.
You have completed Reboot and Log In to Trusted Extensions. You have assumed the root role.
# man txzonemgr
# /usr/sbin/txzonemgr -c
This command copies the Oracle Solaris OS and Trusted Extensions software to a zone, creates a snapshot of the zone, labels the original zone, then uses the snapshot to create a second labeled zone. The first labeled zone is based on the value of Default User Sensitivity Label in the label_encodings file. The second labeled zone is based on the value of Default User Clearance in the label_encodings file. This step can take about 20 minutes.
The root password for the labeled zones will be identical to the password for the global zone.
You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system. In this procedure, you create two labeled zones.
You have completed Reboot and Log In to Trusted Extensions. You have assumed the root role.
You have not created a zone yet.
# txzonemgr &
The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your configuration.
To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.
Tip - To view the current state of zone completion, click Return to Main Menu in the Labeled Zone Manager.
Do you want to create the public zone using default settings?
After the public zone is created, another terminal window appears. Its title is Zone Terminal Console: public. The public zone boots, initializes, and then prompts for the root password. Continue with Step 3.
Do you want to create the public zone using default settings?
The system creates the PUBLIC zone for the minimum label in your label_encodings file.
After the public zone is created, another terminal window appears. Its title is Zone Terminal Console: public. The public zone boots, initializes, and then prompts for the root password. Continue with Step 3.
The system steps you through zone creation.Follow the prompts. After the zone is created, another terminal window appears. Its title is Zone Terminal Console: zonename. The zone boots, initializes, and then prompts for the root password.
The zone reboots.
The Labeled Zone Manager dialog box displays the state and options for the public zone.
In the Zone Terminal Console window, a notice appears: Notice: Zone Halted
The prompt, Enter Zone Name:, appears.
Note - During automatic zone creation, the system takes the label from the Default User Clearance in your label_encodings file.
A one-item list for the new zone appears.
snapshot is the only item in the list.
Example 4-2 Creating Another Labeled Zone
The administrator wants to create a restricted zone from the default label_encodings file.
First, the administrator opens the txzonemgr script in interactive mode.
# txzonemgr &
Then, the administrator navigates to the global zone and names the new zone internal.
Create a new zone:internal
Then, the administrator navigates to the global zone and names the new zone restricted.
Create a new zone:internal
Then, the administrator applies the correct label.
Select label:INTERNAL
From the list, the administrator chooses to Clone ..., and chooses snapshot as the template for the new zone.
After the internal zone is available, the administrator chooses Boot.
This procedure creates two labeled workspaces and opens a labeled window in each labeled workspace. When this task is completed, you have a working, non-networked Trusted Extensions system.
You have completed one of Create a Default Trusted Extensions System or Create Labeled Zones Interactively.
If you are using a site-specific label_encodings file, you are creating a workspace from the value of Default Minimum Label.
You are on the public desktop.
The window is labeled PUBLIC.
If you are using a site-specific label_encodings file, you are creating a workspace from the value of Default User Clearance.
You are on the needtoknow desktop.
The window is labeled CONFIDENTIAL : NEED TO KNOW.
If you plan to communicate with other systems, go to Configure the Network Interfaces in Trusted Extensions. The default setup has completed the steps to connect the labeled zones to the global zone.
Your Trusted Extensions system works without networking. Perform this task if you want to communicate with other systems on a network.
The default configuration enables multilevel services in the global zone, such as the X server, to be used by the labeled zones over a shared, all-zones interface. This shared interface routes traffic between the labeled zones and the global zone. By default, the all-zones interface is a physical interface, such as bge0 or igb0.
You have three other options by which services in the global zone can be used by labeled zones.
First, for a system with more than one IP address, external traffic can arrive on the physical interface. This external traffic is routed to the labeled zones if the traffic is at the label of the zone. The shared interface is a logical interface. Multilevel services in the global zone, such as the X server, are used by the labeled zones over the shared interface. You must create the logical interface
Second, on a system where each zone is assigned an IP address, you must manually create routes from each labeled zone to its labeled zone counterparts on other systems.
To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to Route an Existing Labeled Zone.
Third, on a DHCP system that is connecting with a provider,
The public zone is halted.
The Labeled Zone Manager is displayed. To open this GUI, see Create Labeled Zones Interactively.
From the public zone options list, you have clicked Select another zone...
A list of interfaces is displayed. Look for an interface that is listed with the following characteristics:
Type of physical
IP address of your hostname
Template of cipso
State of Up
For LDAP, this procedure establishes the naming service configuration for the global zone. If you are not using LDAP, you can skip this procedure.
Use the txzonemgr script.
Note - If you plan to set up a name server in each labeled zone, you are responsible for establishing the LDAP client connection to each labeled zone.
The Sun Java System Directory Server, that is, the LDAP server, must exist. The server must be populated with Trusted Extensions databases, and this system must be able to contact the server. So, the system that you are configuring must have an entry in the tnrhdb database on the LDAP server, or this system must be included in a wildcard entry before you perform this procedure.
If an LDAP server that is configured with Trusted Extensions does not exist, you must complete the procedures in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks) before you perform this procedure.
The standard naming service switch file for LDAP is too restrictive for Trusted Extensions.
# cd /etc # cp nsswitch.ldap nsswitch.ldap.orig
The correct entries are similar to the following:
hosts: files dns ldap ipnodes: files dns ldap networks: ldap files protocols: ldap files rpc: ldap files ethers: ldap files netmasks: ldap files bootparams: ldap files publickey: ldap files services: files
Note that Trusted Extensions adds two entries:
tnrhtp: files ldap tnrhdb: files ldap
# cp nsswitch.ldap nsswitch.conf
The Create LDAP Client menu item configures the global zone only.
The title of the dialog box is Labeled Zone Manager.
Enter Domain Name: Type the domain name Enter Hostname of LDAP Server: Type the name of the server Enter IP Address of LDAP Server servername: Type the IP address Enter LDAP Proxy Password: Type the password to the server Confirm LDAP Proxy Password: Retype the password to the server Enter LDAP Profile Name: Type the profile name
Proceed to create LDAP Client?
When you confirm, the txzonemgr script adds the LDAP client. Then, a window displays the command output.
# ldapclient -v mod -a enableShadowUpdate=TRUE \ > -a adminDN=cn=admin,ou=profile,dc=domain,dc=suffix System successfully configured
The txzonemgr script runs the ldapclient init command only. In Trusted Extensions, you must also modify an initialized LDAP client to enable shadow updates.
# ldapclient list
The output looks similar to the following:
NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain-name ... NS_LDAP_BIND_TIME= number
If you get an error, create the LDAP client again and supply the correct values. For example, the following error can indicate that the system does not have an entry on the LDAP server:
LDAP ERROR (91): Can't connect to the LDAP server. Failed to find defaultSearchBase for domain domain-name
To correct this error, you need to check the LDAP server.
Example 4-3 Using Host Names After Loading a resolv.conf File
In this example, the administrator wants a particular set of DNS servers to be available to the system. The administrator copies a resolv.conf file from a server on a trusted net. Because DNS is not yet active, the administrator uses the server's IP address to locate the server.
# cd /etc # cp /net/10.1.1.2/export/txsetup/resolv.conf resolv.conf
After the resolv.conf file is copied and the nsswitch.conf file includes dns in the hosts entry, the administrator can use host names to locate systems.