A zone with a read-only zone root is called an Immutable Zone. A solaris Immutable Zone preserves the zone's configuration by implementing read-only root file systems for non-global zones. This zone extends the zones secure runtime boundary by adding additional restrictions to the runtime environment. Unless performed as specific maintenance operations, modifications to system binaries or system configurations are blocked.
The mandatory write access control (MWAC) kernel policy is used to enforce file system write privilege through a zonecfg file-mac-profile property. Because the global zone is not subject to MWAC policy, the global zone can write to a non-global zone's file system for installation, image updates, and maintenance.
The MWAC policy is downloaded when the zone enters the ready state. The policy is enabled at zone boot. To perform post-install assembly and configuration, a temporary writable root-file system boot sequence is used. Modifications to the zone's MWAC configuration only take effect with a zone reboot.
For general information about configuring, installing, and booting zones, see Chapter 1, How to Plan and Configure Non-Global Zones and Chapter 3, Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones