JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Developer's Guide     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


1.  Trusted Extensions APIs and Security Policy

2.  Labels and Clearances

Privileged Operations and Labels

Label APIs

Detecting a Trusted Extensions System

Accessing the Process Sensitivity Label

Allocating and Freeing Memory for Labels

Obtaining and Setting the Label of a File

Obtaining Label Ranges

Accessing Labels in Zones

Obtaining the Remote Host Type

Translating Between Labels and Strings

Readable Versions of Labels

Label Encodings File

Comparing Labels

Acquiring a Sensitivity Label

3.  Label Code Examples

4.  Printing and the Label APIs

5.  Interprocess Communications

6.  Trusted X Window System

7.  Trusted Web Guard Prototype

8.  Experimental Java Bindings for the Solaris Trusted Extensions Label APIs

A.  Programmer's Reference

B.  Trusted Extensions API Reference


Acquiring a Sensitivity Label

Sensitivity labels are acquired from labeled zones and from other processes. A user can start a process only at the current sensitivity label of the current zone.

When a process creates an object, the object inherits the sensitivity label of its calling process. You can use the setlabel command or the setflabel() routine to set the sensitivity label of a file system object. See the setlabel(1) and setflabel(3TSOL) man pages.

The following script, runwlabel, runs a program that you specify in the labeled zone that you specify. You must run this script from the global zone.

Example 2-1 runwlabel Script

The runwlabel script must first acquire the sensitivity label of the labeled zone in which you want to run the specified program. This script uses the getzonepath command to obtain the zone path from the label that you specify on the command line. See the getzonepath(1) man page.

Next, the runwlabel script uses the zoneadm command to find the zone name associated with the zone path, which was acquired by the getzonepath command. See the zoneadm(1M) man page.

Finally, the runwlabel script uses the zlogin command to run the program that you specify in the zone associated with the label you specified. See the zlogin(1) man page.

To run the zonename command in the zone associated with the Confidential: Internal Use Only label, run the runwlabel script from the global zone. For example:

machine1% runwlabel "Confidential : Internal Use Only" zonename

The following shows the source of the runwlabel script:

# Usage:
# runwlabel "my-label" my-program
[ ! -x /usr/sbin/zoneadm ] && exit 0    # SUNWzoneu not installed

PATH=/usr/sbin:/usr/bin; export PATH

# Get the zone path associated with the "my-label" zone
# Remove the trailing "/root"
zonepath=`getzonepath "$1" | sed -e 's/\/root$//'`

# Find the zone name that is associated with this zone path
for zone in `zoneadm list -pi | nawk -F: -v zonepath=${zonepath} '{
        if ($4 == zonepath) {
            print $2
    }'`; do

        # Run the specified command in the matching zone
        zlogin ${zone} ${progname}

The following script, runinzone, runs a program in a zone that you specify even if the zone is not booted. You must run this script from the global zone.

Example 2-2 runinzone Script

The script first boots the zone you specified, and then it uses the zlogin command to run the waitforzone script in the specified zone.

The waitforzone script waits for the local zone automounter to come up, and then it runs the program you specified as the user you specified.

To run the /usr/bin/xclock command in the public zone, run the following from the global zone:

machine1% runinzone public terry /usr/bin/xclock

The following shows the source of the runinzone script:


# Boot the specified zone
zoneadm -z ${zonename} boot

# Run the command in the specified zone
zlogin ${zonename} /bin/demo/waitforzone ${user} ${program} ${DISPLAY}

The runinzone script calls the following script, waitforzone:


# Wait for the local zone automounter to come up
# by checking for the auto_home trigger being loaded

while [ ! -d /home/${user} ]; do
sleep 1

# Now, run the command you specified as the specified user

su - ${user} -c "${program} -display ${display}"