Additional Trusted Extensions Configuration Tasks

The following tasks can be helpful in configuring a Trusted Extensions system to your requirements. The final task enables you to remove the Trusted Extensions feature from an Oracle Solaris system.

How to Create a Secondary Labeled Zone

Secondary labeled zones are useful for isolating services in different zones, yet allowing the services to run at the same label. For more information, see Primary and Secondary Labeled Zones.

Before You Begin

The primary zone must exist. The secondary zone must have an exclusive IP address and cannot require a desktop.

You must be in the root role in the global zone.

1. Create a secondary zone.

   You can use the command line or the Labeled Zone GUI, txzonemgr.

   • Use the command line.

     # tncfg -z secondary-label-service primary=no
     # tncfg -z secondary-label-service label=public

   • Use txzonemgr.

     # txzonemgr &

     Navigate to Create a new zone, and follow the prompts.

     ---

     Note - The netmask must be entered in prefix form. For example, the 255.255.254.0 netmask requires a prefix of 23.

     ---

2. Verify that the zone is a secondary zone.

   # tncfg -z zone info primary
       primary=no

Example 4-6 Creating a Zone for Public Scripts

In this example, the administrator isolates a public zone that is designed to run scripts and batch jobs.

# tncfg -z public-scripts primary=no
# tncfg -z public-scripts label=public

How to Create and Share a Multilevel Dataset

Multilevel datasets are useful containers when you downgrade or upgrade information. For more information, see Multilevel Datasets for Relabeling Files. Multilevel datasets are also useful for multilevel NFS file servers to provide files at many labels to a number of NFS clients.

Before You Begin

To create a multilevel dataset, you must be in the root role in the global zone.

1. Create a multilevel dataset.

   # zfs create -o mountpoint=/multi -o multilevel=on rpool/multi

   rpool/multi is a multilevel dataset that is mounted in the global zone at /multi.

   To limit the upper label range of the dataset, see Example 4-7.

2. Verify that the multilevel dataset is mounted and that the mountpoint has the ADMIN_LOW label.

   # getlabel /multi
   /multi: ADMIN_LOW

3. Protect the parent file system.

   Set the following ZFS properties to off for all file systems in the pool:

   # zfs set devices=off rpool/multi
   # zfs set exec=off rpool/multi
   # zfs set setuid=off rpool/multi

4. (Optional) Set the compression property of the pool.

   Typically, compression is set in ZFS at the file system level. However, because all the file systems in this pool are data files, compression is set at the top-level dataset for the pool.

   # zfs set compression=on rpool/multi

   See also Interactions Between ZFS Compression, Deduplication, and Encryption Properties in Oracle Solaris 11.1 Administration: ZFS File Systems.

5. Create top-level directories for each label that you want in the multilevel dataset.

   # cd /multi
   # mkdir public internal
   # chmod 777 public internal
   # setlabel PUBLIC public
   # setlabel "CNF : INTERNAL" internal

6. Use LOFS to mount the multilevel dataset in every labeled zone that is approved to have access.

   For example, the following series of zonecfg commands mounts the dataset in the public zone.

   # zonecfg -z public
   zonecfg:public> add fs
   zonecfg:public:fs> set dir=/multi
   zonecfg:public:fs> set special=/multi
   zonecfg:public:fs> set type=lofs
   zonecfg:public:fs> end
   zonecfg:public> exit

   Multilevel datasets permit writing files at the same label as the mounting zone and reading lower-level files. The label of the mounted files can be viewed and set.

7. To use NFS to share the multilevel dataset with other systems, do the following:
   1. Make the NFS service in the global zone into a multilevel service.

      # tncfg -z global add mlp_private=2049/tcp
      # tncfg -z global add mlp_private=111/udp
      # tncfg -z global add mlp_private=111/tcp

   2. Restart the NFS service.

      # svcadm restart nfs/server

   3. Share the multilevel dataset.

      # share /multi

   NFS-mounted multilevel datasets permit writing files at the same label as the mounting zone and reading lower-level files. The label of the mounted files cannot be viewed reliably or set. For more information, see Mounting Multilevel Datasets From Another System.

Example 4-7 Creating a Multilevel Dataset With a Highest Label Below ADMIN_HIGH

In this example, the administrator creates a multilevel dataset with a upper bound, or highest label, that is lower than the default, ADMIN_HIGH. At dataset creation, the administrator specifies the upper label bound in the mslabel property. This upper bound prevents global zone processes from creating any files or directories in the multilevel dataset. Only labeled zone processes can create directories and files in the dataset. Because the multilevel property is on, the mlslabel property sets the upper bound, not the label for a single-label dataset.

# zfs create -o mountpoint=/multiIUO -o multilevel=on \
-o mlslabel="CNF : INTERNAL" rpool/multiIUO

Then, the administrator logs in to each labeled zone to create a directory at that label in the mounted dataset.

# zlogin public 
# mkdir /multiIUO
# chmod 777 /multiIUO
# zlogin internal 
# mkdir /multiIUO
# chmod 777 /multiIUO

The multilevel datasets are visible at the label of the mounting zone to authorized users after the zone is rebooted.

Next Steps

To enable users to relabel files, see How to Enable Files to Be Relabeled From a Labeled Zone.

For instructions about relabeling files, see How to Upgrade Data in a Multilevel Dataset in Trusted Extensions User’s Guide and How to Downgrade Data in a Multilevel Dataset in Trusted Extensions User’s Guide.

How to Copy Files to Portable Media in Trusted Extensions

When copying to portable media, label the media with the sensitivity label of the information.

Before You Begin

To copy administrative files, you must be in the root role in the global zone.

1. Allocate the appropriate device.

   Use the Device Manager, and insert clean media. For details, see How to Allocate a Device in Trusted Extensions in Trusted Extensions User’s Guide.

   The File Browser displays the contents of the clean media.

2. Open a second File Browser.
3. Navigate to the folder that contains the files to be copied
4. For each file, do the following:
   1. Highlight the icon for the file.
   2. Drag the file to the File Browser for the portable media.
5. Deallocate the device.

   For details, see How to Deallocate a Device in Trusted Extensions in Trusted Extensions User’s Guide.

6. On the File Browser for the portable media, choose Eject from the File menu.

   ---

   Note - Remember to physically affix a label to the media with the sensitivity label of the copied files.

   ---

Example 4-8 Keeping Configuration Files Identical on All Systems

The system administrator wants to ensure that every system is configured with the same settings. So, on the first system that is configured, the administrator creates a directory that cannot be deleted between reboots. In that directory, the administrator places the files that must be identical or very similar on all systems.

For example, the administrator modifies the policy.conf file, and the default login and passwd files for this site. So, the administrator copies the following files to the permanent directory.

# mkdir /export/commonfiles
# cp  /etc/security/policy.conf \
# cp  /etc/default/login \
# cp  /etc/default/passwd \
# cp  /etc/security/tsol/label_encodings \
/export/commonfiles

The administrator uses the Device Manager to allocate a CD-ROM in the global zone, transfers the files to the CD, and affixes a Trusted Path label.

How to Copy Files From Portable Media in Trusted Extensions

It is safe practice to rename the original Trusted Extensions file before replacing the file. When configuring a system, the root role renames and copies administrative files.

Before You Begin

To copy administrative files, you must be in the root role in the global zone.

1. Allocate the appropriate device.

   For details, see How to Allocate a Device in Trusted Extensions in Trusted Extensions User’s Guide.

   The File Browser displays the contents.

2. Insert the media that contains the administrative files.
3. If the system has a file of the same name, copy the original file to a new name.

   For example, add .orig to the end of the original file:

   # cp /etc/security/tsol/label_encodings /etc/security/tsol/label_encodings.orig

4. Open a File Browser.
5. Navigate to the desired destination directory, such as /etc/security/tsol
6. For each file that you want to copy, do the following:
   1. In the File Browser for the mounted media, highlight the icon for the file.
   2. Then, drag the file to the destination directory in the second File Browser.
7. Deallocate the device.

   For details, see How to Deallocate a Device in Trusted Extensions in Trusted Extensions User’s Guide.

8. When prompted, eject and remove the media.

How to Remove Trusted Extensions From the System

You must perform specific steps to remove the Trusted Extensions feature from an Oracle Solaris system.

Before You Begin

You are in the root role in the global zone.

1. Archive any data in the labeled zones that you want to keep.

   For portable media, affix a physical sticker with the sensitivity label of the zone to each archived zone.

2. Remove the labeled zones from the system.

   For details, see How to Remove a Non-Global Zone in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.

3. Disable the Trusted Extensions service.

   # svcadm disable labeld

4. (Optional) Reboot the system.
5. Configure the system.

   Various services might need to be configured for your Oracle Solaris system. Possibilities include basic networking, naming services, and file system mounts.