Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone and Logging In to Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Reboot and Log In to Trusted Extensions
Create a Default Trusted Extensions System
Create Labeled Zones Interactively
Assign Labels to Two Zone Workspaces
Configure the Network Interfaces in Trusted Extensions
Make the Global Zone an LDAP Client in Trusted Extensions
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Configure a Name Service Cache in Each Labeled Zone
Creating Roles and Users in Trusted Extensions
Create the Security Administrator Role in Trusted Extensions
Create a System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Verify That the Trusted Extensions Roles Work
Enable Users to Log In to a Labeled Zone
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Troubleshooting Your Trusted Extensions Configuration
Labeled Zone Is Unable to Access the X Server
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
How to Copy Files From Portable Media in Trusted Extensions
How to Remove Trusted Extensions From the System
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
In Trusted Extensions, the labeled zones communicate with the X server through the global zone. Therefore, the labeled zones must have usable routes to the global zone.
If a labeled zone cannot successfully access the X server, you might see messages such as the following:
No route available
Cannot reach globalzone-hostname:0
The labeled zones might not be able to access the X server for any of the following reasons:
The zone is not initialized and is waiting for the sysidcfg process to complete.
The labeled zone's host name is not recognized by the naming service that runs in the global zone.
No interface is specified as all-zones.
The labeled zone's network interface is down.
NFS mounts do not work.
Do the following:
Log in to the zone.
You can use the zlogin command.
# zlogin -z zone-name
If you cannot log in as root, use the zlogin -S command to bypass authentication.
Verify that the zone is running.
# zoneadm list
If a zone has a status of running, the zone is running at least one process.
Address any problems that prevent the labeled zones from accessing the X server.
Initialize the zone by completing the sysidcfg process.
Run the sysidcfg program interactively. Answer the prompts in the Zone Terminal Console, or in the terminal window where you ran the zlogin command.
To run the sysidcfg process noninteractively, you can do one of the following:
Choose the Initialize item for the zone from the /usr/sbin/txzonemgr script.
The Initialize item enables you to supply default values to the sysidcfg questions.
Write your own sysidcfg script.
For more information, see the sysidcfg(4) man page.
Verify that the X server is available to the zone.
Log in to the labeled zone. Set the DISPLAY variable to point to the X server, and open a window.
# DISPLAY=global-zone-hostname:n.n # export DISPLAY # /usr/bin/gimp
If a labeled window does not appear, the zone networking has not been configured correctly for that labeled zone.
Configure the zone's host name with the naming service.
The zone's local /etc/hosts file is not used. Instead, equivalent information must be specified in the global zone. The information must include the IP address of the host name that is assigned to the zone.
No interface is specified as all-zones.
Unless all your zones have IP addresses on the same subnet as the global zone, you might need to configure an all-zones (shared) interface. This configuration enables a labeled zone to connect to the X server of the global zone. If you want to restrict remote connections to the X server of the global zone, you can use vni0 as the all-zones address.
If you do not want an all-zones interface configured, you must provide a route to the global zone X server for each zone. These routes must be configured in the global zone.
The labeled zone's network interface is down.
# ifconfig -a
Use the ifconfig command to verify that the labeled zone's network interface is both UP and RUNNING.
NFS mounts do not work.
In the root role, restart automount in the zone. Or, add a crontab entry to run the automount command every five minutes.
Note - The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use the X server. Therefore, zone networking must work before a zone can be used. For background information, see Planning for Multilevel Access.
The Labeled Zone Manager dialog box displays the global zone.
Zone booting messages appear in the Zone Console Terminal window.
# ipadm show-addr ADDROBJ TYPE STATE ADDR bge0/? static ok 127.0.0.1/8 all-zones/? static ok 192.168.84.3/24
Verify that the primary interface and IP address are available in this zone.
# ping remote-single-level-host
Note - The default position for desktop panels is the top of the screen. The trusted stripe covers the top of the screen. Therefore, the panels strip must be on the side or on the bottom of the workspace.
% cd $HOME/.gconf/apps/panel/toplevels % ls %gconf.xml bottom_panel_screen0/ top_panel_screen0/ % cd top_panel_screen0 % ls %gconf.xml top_panel_screen0/
% vi %gconf.xml
For example, make the orientation line appear similar to the following:
/toplevels/orientation" type="string"> <stringvalue>bottom</stringvalue>
# export SETUPPANEL="/etc/gconf/schemas/panel-default-setup.entries" # export TMPPANEL="/tmp/panel-default-setup.entries" # sed 's/<string>top<\/string>/<string>bottom<\/string>/' $SETUPPANEL > $TMPPANEL # cp $TMPPANEL $SETUPPANEL # svcadm restart gconf-cache
If you have more than one panel, the panels stack at the bottom of the screen.