Skip Navigation Links | |
Exit Print View | |
Trusted Extensions Configuration and Administration Oracle Solaris 11 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions (Tasks)
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions (Tasks)
14. Managing and Mounting Files in Trusted Extensions (Tasks)
Sharing and Mounting Files in Trusted Extensions
Sharing Files From a Labeled Zone
Access to NFS Mounted File Systems in Trusted Extensions
Home Directory Creation in Trusted Extensions
Changes to the Automounter in Trusted Extensions
Trusted Extensions Software and NFS Protocol Versions
Backing Up, Sharing, and Mounting Labeled Files (Task Map)
How to Back Up Files in Trusted Extensions
How to Restore Files in Trusted Extensions
How to Share File Systems From a Labeled Zone
How to NFS Mount Files in a Labeled Zone
How to Troubleshoot Mount Failures in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
NFS mounts in Trusted Extensions are similar to Oracle Solaris mounts. The differences occur in the enforcement of MAC policy. Also, the txzonemgr script assumes that home directories are mounted as /export/home.
NFS shares in Trusted Extensions are similar to Oracle Solaris shares in a global zone. However, the sharing of a labeled zone on a multilevel system is unique to Trusted Extensions:
Shares and mounts in the global zone – Sharing and mounting files in the global zone of a Trusted Extensions system is almost identical to the procedure in Oracle Solaris. For mounting files, the automounter, and the mount command can be used. For sharing files, the sharenfs property of ZFS datasets is used.
Mounts in labeled zones – Mounting files in labeled zones in Trusted Extensions is almost identical to mounting files in non-global zones in Oracle Solaris. For mounting files, the automounter and the mount command can be used. In Trusted Extensions, a unique auto_home_zone-name configuration file exists for each labeled zone.
Shares in labeled zones – Files in a labeled zone can be shared at the label of the zone by using the ZFS share properties. For more discussion, see Global Zone Processes and Labeled Zones.
Labels affect which files can be mounted. Files are shared and mounted at a particular label.
For a Trusted Extensions system to mount a file system on another Trusted Extensions system, the server and the client must have compatible remote host templates of type cipso.
For a Trusted Extensions client to write to a file system that is NFS-mounted, the file system must be mounted with read-write permissions and be at the same label as the client.
For a Trusted Extensions system to mount a file system from an unlabeled system, the single label that is assigned to the unlabeled system by the Trusted Extensions system must match the label of the Trusted Extensions system.
Similarly, for a labeled zone to mount a file system from an unlabeled system, the single label that is assigned to the unlabeled system by the Trusted Extensions system must match the label of the labeled zone.
File systems whose labels differ from the mounting zone and are mounted with LOFS can be viewed, but cannot be modified. For details on NFS mounts, see Access to NFS Mounted File Systems in Trusted Extensions.
Labels also affect which directories and files can be viewed. By default, lower-level objects are available in a user's environment. Therefore, in the default configuration, a regular user can view files that are in a zone at a lower level than the user's current level. For example, users can see their lower-level home directories from a higher label. For details, see Home Directory Creation in Trusted Extensions.
If site security forbids the viewing of lower-level objects, you can hide lower-level file systems from the user. For details, see How to Disable the Mounting of Lower-Level Files.
The mount policy in Trusted Extensions has no MAC overrides. Mounted files that are visible at a lower label can never be modified by a higher-label process. This MAC policy is also in effect in the global zone. A global zone ADMIN_HIGH process cannot modify an NFS-mounted file at a lower label, such as a PUBLIC file or an ADMIN_LOW file. MAC policies enforce the default configuration and are invisible to regular users. Regular users cannot see objects unless they have MAC access to them.