While Trusted Extensions supports the same file systems and file system management commands as Oracle Solaris, mounted file systems in Trusted Extensions are subject to the mandatory access control (MAC) policies for viewing and modifying labeled data. The mount policies and the read and write policies enforce the MAC policies for labeling.
For single-level datasets, the mount policy prevents any NFS or LOFS mounts that would violate MAC. For example, a zone's label must dominate all of its mounted file system labels, and only equally labeled file systems can be mounted with read-write permissions. Any shared file systems that belong to other zones or to NFS servers are mounted at the label of the owner.
The following summarizes the behavior of NFS-mounted single-level datasets:
In the global zone, all mounted files can be viewed, but only files that are labeled ADMIN_HIGH can be modified.
In a labeled zone, all mounted files that are equal to or lower than the label of the zone can be viewed, but only files at the label of the zone can be modified.
On an untrusted system, only file systems from a labeled zone whose label is the same as the untrusted system's assigned label can be viewed and modified.
For LOFS-mounted single-level datasets, the mounted files can be viewed. They are at the label ADMIN_LOW, so cannot be modified.
For multilevel datasets, the MAC read and write policies are enforced at the granularity of files and directories rather than at the granularity of the file system.
Multilevel datasets can only be mounted in the global zone. Labeled zones can only access multilevel datasets by using LOFS mount points that you specify with the zonecfg command. For the procedure, see How to Create and Share a Multilevel Dataset. Appropriately privileged processes in the global zone or labeled zones can relabel files and directories.
In the global zone, all files in the multilevel dataset can be viewed. Mounted files that are labeled ADMIN_HIGH can be modified.
In a labeled zone, the multilevel dataset is mounted over LOFS. Mounted files at the same label or a lower level as the zone can be viewed. Mounted files at the same label as the zone can be modified.
Multilevel datasets can also be shared from the global zone over NFS. Remote clients can view files that are dominated by their network label, and modify files with equal labels. However, relabeling is not possible on an NFS-mounted multilevel dataset. For information about NFS mounts, see Mounting Multilevel Datasets From Another System.
For more information, see Multilevel Datasets for Relabeling Files.
The MAC policy for reading and writing files has no privilege overrides. Single-level datasets can only be mounted read-write if the label of the zone equals the label of the dataset. For read-only mounts, the zone label must dominate the dataset label. For multilevel datasets, all files and directories must be dominated by the mlslabel property, which defaults to ADMIN_HIGH. For multilevel datasets, MAC policy is enforced at the file and directory level. MAC policy enforcement is invisible to all users. Users cannot see an object unless they have MAC access to the object.
The following summarizes the share and mount policies in Trusted Extensions for single-level datasets:
For a Trusted Extensions system to mount a file system on another Trusted Extensions system, the server and the client must have compatible remote host templates of type cipso.
For a Trusted Extensions system to mount a file system from an untrusted system, the single label that is assigned to the untrusted system by the Trusted Extensions system must match the label of the global zone.
Similarly, for a labeled zone to mount a file system from an untrusted system, the single label that is assigned to the untrusted system by the Trusted Extensions system must match the label of the mounting zone.
Files whose labels differ from the mounting zone and are mounted with LOFS can be viewed, but cannot be modified. For details on NFS mounts, see NFS Server and Client Configuration in Trusted Extensions.
The following summarizes the share and mount policies in Trusted Extensions for multilevel datasets:
For a Trusted Extensions system to share a multilevel dataset with another system, the NFS server must be configured as a multilevel service.
For a Trusted Extensions system to share a multilevel dataset with labeled zones on it own system, the global zone must LOFS mount the dataset in the zones.
The labeled zone has write access to those LOFS-mounted files and directories whose label matches the zone's label, and has read access to the files and directories that it dominates. MAC policy is enforced at the individual file and directory level.