|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10|
To customize your Trusted Extensions configuration, use the following task map. To install the default configuration, go to Creating Labeled Zones.This task map describes and links to tasks that set up the global zone.
Your encodings file must be compatible with any Trusted Extensions host with which you are communicating.
Note - Trusted Extensions installs a default label_encodings file. This default file is useful for demonstrations. However, this file might not be a good choice for your use. If you plan to use the default file, you can skip this procedure.
If you are familiar with encodings files, you can use the following procedure.
If you are not familiar with encodings files, consult Oracle Solaris Trusted Extensions Label Administration for requirements, procedures, and examples.
Caution - You must successfully install labels before continuing, or the configuration will fail.
You are the security administrator. The security administrator is responsible for editing, checking, and maintaining the label_encodings file. If you plan to edit the label_encodings file, make sure that the file itself is writable. For more information, see the label_encodings(4) man page.
Use the command line.
# /usr/sbin/chk_encodings /full-pathname-of-label-encodings-file
If the command reports errors, the errors must be resolved before continuing. For assistance, see Chapter 3, Creating a Label Encodings File (Tasks), in Oracle Solaris Trusted Extensions Label Administration
# cp /full-pathname-of-label-encodings-file \ /etc/security/tsol/label.encodings.site # cd /etc/security/tsol # cp label_encodings label_encodings.tx.orig # cp label.encodings.site label_encodings
Caution - Your label_encodings file must pass the Check Encodings test before you continue.
Example 4-1 Checking label_encodings Syntax on the Command Line
In this example, the administrator tests several label_encodings files by using the command line.
# /usr/sbin/chk_encodings /var/encodings/label_encodings1 No errors found in /var/encodings/label_encodings1 # /usr/sbin/chk_encodings /var/encodings/label_encodings2 No errors found in /var/encodings/label_encodings2
When management decides to use the label_encodings2 file, the administrator runs a semantic analysis of the file.
# /usr/sbin/chk_encodings -a /var/encodings/label_encodings2 No errors found in /var/encodings/label_encodings2 ---> VERSION = MYCOMPANY LABEL ENCODINGS 2.0 10/10/2006 ---> CLASSIFICATIONS <--- Classification 1: PUBLIC Initial Compartment bits: 10 Initial Markings bits: NONE ---> COMPARTMENTS AND MARKINGS USAGE ANALYSIS <--- ... ---> SENSITIVITY LABEL to COLOR MAPPING <--- ...
The administrator prints a copy of the semantic analysis for her records, then moves the file to the /etc/security/tsol directory.
# cp /var/encodings/label_encodings2 /etc/security/tsol/label.encodings.10.10.06 # cd /etc/security/tsol # cp label_encodings label_encodings.tx.orig # cp label.encodings.10.10.06 label_encodings
Finally, the administrator verifies that the label_encodings file is the company file.
# /usr/sbin/chk_encodings -a /etc/security/tsol/label_encodings | head -4 No errors found in /etc/security/tsol/label_encodings ---> VERSION = MYCOMPANY LABEL ENCODINGS 2.0 10/10/2006
Caution - The txzonemgr script does not support IPv6 addresses to carry labeled traffic. You must edit the tnrhdb file by hand to run Trusted Extensions over an IPv6 network.
CIPSO options do not have an Internet Assigned Numbers Authority (IANA) number to use in the IPv6 Option Type field of a packet. The entry that you set in this procedure supplies a number to use on the local network until IANA assigns a number for this option. Trusted Extensions disables IPv6 networking if this number is not defined.
To enable an IPv6 network in Trusted Extensions, you must add an entry in the /etc/system file.
set ip:ip6opt_ls = 0x0a
Verify that the entry is spelled correctly.
Verify that the system has been rebooted after adding the correct entry to the /etc/system file.
If you add Trusted Extensions to an Oracle Solaris system that currently has IPv6 enabled, but you fail to add the IP entry in /etc/system, you see the following error message: t_optmgmt: System error: Cannot assign requested address time-stamp
If you add Trusted Extensions to an Oracle Solaris system that does not have IPv6 enabled, and you fail to add the IP entry in /etc/system, you see the following types of error messages:
WARNING: IPv6 not enabled via /etc/system
Failed to configure IPv6 interface(s): bge0
rpcbind: Unable to join IPv6 multicast group for rpc broadcast broadcast-number
Caution - The txzonemgr script does not support a DOI that is not the default value. You must edit the tnrhdb file by hand to run Trusted Extensions with a DOI that is not the default value.
All communications to and from a system that is configured with Trusted Extensions must follow the labeling rules of a single CIPSO Domain of Interpretation (DOI). The DOI that is used in each message is identified by an integer number in the CIPSO IP Option header. By default, the DOI in Trusted Extensions is 1.
If your DOI is not 1, you must add an entry to the /etc/system file and modify the doi value in all security template.
Type the following entry into the file:
set default_doi = n
This positive, non-zero number must match the DOI number in the tnrhtp database for your node and for the systems that your node communicates with.
Trusted Extensions provides two security templates, cipso and admin_low. If you have added templates for other remote hosts, also modify these entries.
# vi /etc/security/tsol/tnrhtp
Make this value the same as the default_doi value in the /etc/system file.
#admin_low:host_type=unlabeled;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH; doi=1;def_label=ADMIN_LOW admin_low:host_type=unlabeled;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH; doi=n;def_label=ADMIN_LOW
You are finished when every doi value in every security template in the tnrhtp database is the same.
If the /etc/system file sets a default_doi value other than 1, and a security template for this system sets a value that does not match this default_doi value, then messages similar to the following are displayed on the system console during interface configuration:
NOTICE: er10 failed: 10.17.1.12 has wrong DOI 4 instead of 1
Failed to configure IPv4 interface(s): er10
Interface configuration failure can result in login failure:
unknown console login: root
Oct 10 10:10:20 unknown login: pam_unix_cred: cannot load hostname Error 0
To correct the problem, boot the system into single-user mode and correct the security templates as described in this procedure.
For more information about the DOI, see Network Security Attributes in Trusted Extensions.
For more information about security templates, see How to Construct a Remote Host Template.
At most sites, two or more administrators, who serve as an initial setup team, are present when configuring the system.
Become familiar with the desktop and label options in Trusted Extensions. For details, see Chapter 2, Logging In to Trusted Extensions (Tasks), in Oracle Solaris Trusted Extensions User Guide.
If your system does not have a graphical display, go to Chapter 6, Configuring a Headless System With Trusted Extensions (Tasks).
In the login dialog box, type username, then type the password.
Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing his/her password to another person, or indirect, such as through writing it down, or choosing an insecure password. Trusted Extensions software provides protection against insecure passwords, but cannot prevent a user disclosing his/her password or writing it down.
You are going to create the zone after you assume the root role.
The root role appears in a pulldown menu.
If prompted, create a new passowrd for the role.
Note - You must log off or lock the screen before leaving a system unattended. Otherwise, a person can access the system without having to pass identification and authentication, and that person would not be uniquely identified or accountable.