JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Configuration and Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone and Logging In to Trusted Extensions

Check and Install Your Label Encodings File

Enable IPv6 Networking in Trusted Extensions

Configure the Domain of Interpretation

Reboot and Log In to Trusted Extensions

Creating Labeled Zones

Create a Default Trusted Extensions System

Create Labeled Zones Interactively

Assign Labels to Two Zone Workspaces

Configure the Network Interfaces in Trusted Extensions

Make the Global Zone an LDAP Client in Trusted Extensions

Adding Network Interfaces and Routing to Labeled Zones

Add a Network Interface to Route an Existing Labeled Zone

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

Configure a Name Service Cache in Each Labeled Zone

Creating Roles and Users in Trusted Extensions

Create the Security Administrator Role in Trusted Extensions

Create a System Administrator Role

Create Users Who Can Assume Roles in Trusted Extensions

Verify That the Trusted Extensions Roles Work

Enable Users to Log In to a Labeled Zone

Creating Home Directories in Trusted Extensions

Create the Home Directory Server in Trusted Extensions

Enable Users to Access Their Home Directories in Trusted Extensions

Troubleshooting Your Trusted Extensions Configuration

Labeled Zone Is Unable to Access the X Server

Public Zone Does Not Connect to Global Zone

Desktop Panels Do Not Display

Additional Trusted Extensions Configuration Tasks

How to Copy Files to Portable Media in Trusted Extensions

How to Copy Files From Portable Media in Trusted Extensions

How to Remove Trusted Extensions From the System

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Setting Up the Global Zone and Logging In to Trusted Extensions

To customize your Trusted Extensions configuration, use the following task map. To install the default configuration, go to Creating Labeled Zones.

This task map describes and links to tasks that set up the global zone.
For Instructions
Protect the hardware.
Protects hardware by requiring a password to change hardware settings.
Controlling Access to System Hardware in System Administration Guide: Security Services
Configure labels.
Labels must be configured for your site. If you plan to use the default label_encodings file, you can skip this step.
For IPv6, modify the /etc/system file.
Enables IP to recognize labeled packets on an IPv6 network.
For a DOI whose value is not 1, modify the /etc/system file.
Specifies a Domain of Interpretation (DOI) that is not 1.
Reboot and log in.
Places you in the global zone, which is an environment that recognizes and enforces mandatory access control (MAC).
Configure LDAP.
Sets up the LDAP service.
Makes this system an LDAP client.

Check and Install Your Label Encodings File

Your encodings file must be compatible with any Trusted Extensions host with which you are communicating.

Note - Trusted Extensions installs a default label_encodings file. This default file is useful for demonstrations. However, this file might not be a good choice for your use. If you plan to use the default file, you can skip this procedure.


Caution - You must successfully install labels before continuing, or the configuration will fail.

Before You Begin

You are the security administrator. The security administrator is responsible for editing, checking, and maintaining the label_encodings file. If you plan to edit the label_encodings file, make sure that the file itself is writable. For more information, see the label_encodings(4) man page.

  1. Insert the media with the label_encodings file into the appropriate device.
  2. Copy the label_encodings file to the disk.
  3. Check the syntax of the file and make it the active label_encodings file.

    Use the command line.

    1. Open a terminal window.
    2. Run the chk_encodings command.
      # /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file
    3. Read the output and do one of the following:


    Caution - Your label_encodings file must pass the Check Encodings test before you continue.

Example 4-1 Checking label_encodings Syntax on the Command Line

In this example, the administrator tests several label_encodings files by using the command line.

# /usr/sbin/chk_encodings /var/encodings/label_encodings1
No errors found in /var/encodings/label_encodings1
# /usr/sbin/chk_encodings /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2

When management decides to use the label_encodings2 file, the administrator runs a semantic analysis of the file.

# /usr/sbin/chk_encodings -a /var/encodings/label_encodings2
No errors found in /var/encodings/label_encodings2



   Classification 1: PUBLIC
   Initial Compartment bits: 10
   Initial Markings bits: NONE


The administrator prints a copy of the semantic analysis for her records, then moves the file to the /etc/security/tsol directory.

# cp /var/encodings/label_encodings2 /etc/security/tsol/label.encodings.10.10.06
# cd /etc/security/tsol
# cp label_encodings label_encodings.tx.orig
# cp label.encodings.10.10.06 label_encodings

Finally, the administrator verifies that the label_encodings file is the company file.

# /usr/sbin/chk_encodings -a /etc/security/tsol/label_encodings | head -4
No errors found in /etc/security/tsol/label_encodings


Enable IPv6 Networking in Trusted Extensions


Caution - The txzonemgr script does not support IPv6 addresses to carry labeled traffic. You must edit the tnrhdb file by hand to run Trusted Extensions over an IPv6 network.

CIPSO options do not have an Internet Assigned Numbers Authority (IANA) number to use in the IPv6 Option Type field of a packet. The entry that you set in this procedure supplies a number to use on the local network until IANA assigns a number for this option. Trusted Extensions disables IPv6 networking if this number is not defined.

To enable an IPv6 network in Trusted Extensions, you must add an entry in the /etc/system file.


Configure the Domain of Interpretation


Caution - The txzonemgr script does not support a DOI that is not the default value. You must edit the tnrhdb file by hand to run Trusted Extensions with a DOI that is not the default value.

All communications to and from a system that is configured with Trusted Extensions must follow the labeling rules of a single CIPSO Domain of Interpretation (DOI). The DOI that is used in each message is identified by an integer number in the CIPSO IP Option header. By default, the DOI in Trusted Extensions is 1.

If your DOI is not 1, you must add an entry to the /etc/system file and modify the doi value in all security template.

  1. Set your DOI value in the /etc/system file.

    Type the following entry into the file:

    set default_doi = n

    This positive, non-zero number must match the DOI number in the tnrhtp database for your node and for the systems that your node communicates with.

  2. Modify the doi value in all security templates in the tnrhtp database.

    Trusted Extensions provides two security templates, cipso and admin_low. If you have added templates for other remote hosts, also modify these entries.

    1. Open the tnrhtp database.
      # vi /etc/security/tsol/tnrhtp
    2. Copy the cipso template entry to another line.
    3. Comment out one of the cipso entries.
    4. Modify the doi value in the uncommented cipso entry.

      Make this value the same as the default_doi value in the /etc/system file.

    5. Change the doi value for the admin_low entry.

    You are finished when every doi value in every security template in the tnrhtp database is the same.


If the /etc/system file sets a default_doi value other than 1, and a security template for this system sets a value that does not match this default_doi value, then messages similar to the following are displayed on the system console during interface configuration:

Interface configuration failure can result in login failure:

To correct the problem, boot the system into single-user mode and correct the security templates as described in this procedure.

See Also

For more information about the DOI, see Network Security Attributes in Trusted Extensions.

For more information about security templates, see How to Construct a Remote Host Template.

Reboot and Log In to Trusted Extensions

At most sites, two or more administrators, who serve as an initial setup team, are present when configuring the system.

Before You Begin

Become familiar with the desktop and label options in Trusted Extensions. For details, see Chapter 2, Logging In to Trusted Extensions (Tasks), in Oracle Solaris Trusted Extensions User Guide.

  1. Reboot the system.
    # /usr/sbin/reboot

    If your system does not have a graphical display, go to Chapter 6, Configuring a Headless System With Trusted Extensions (Tasks).

  2. Log in as the user account that you created during installation.

    In the login dialog box, type username, then type the password.

    Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing his/her password to another person, or indirect, such as through writing it down, or choosing an insecure password. Trusted Extensions software provides protection against insecure passwords, but cannot prevent a user disclosing his/her password or writing it down.

  3. Use the mouse to dismiss the Status window and the Clearance window.
  4. Dismiss the dialog box that says that the label PUBLIC has no matching zone.

    You are going to create the zone after you assume the root role.

  5. Assume the root role.
    1. Click your name in the trusted stripe.

      The root role appears in a pulldown menu.

    2. Click the root role.

      If prompted, create a new passowrd for the role.

    Note - You must log off or lock the screen before leaving a system unattended. Otherwise, a person can access the system without having to pass identification and authentication, and that person would not be uniquely identified or accountable.