Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

» ...Documentation Home » Oracle Solaris 11.4 Information Library » Trusted Extensions Configuration and ... » Administration of Trusted Extensions » Managing Zones in Trusted Extensions » Managing Zones » How to Disable the Mounting of Lower-Level Files

Updated: November 2020

Trusted Extensions Configuration and Administration

Document Information

Using This Documentation

Part I Initial Configuration of Trusted Extensions

Part II Administration of Trusted Extensions

Chapter 7 Trusted Extensions Administration Concepts

Trusted Extensions and the Oracle Solaris OS

Basic Concepts of Trusted Extensions

Chapter 8 Trusted Extensions Administration Tools

Administration Tools for Trusted Extensions

txzonemgr Script

Command Line Tools in Trusted Extensions

Configuration Files in Trusted Extensions

Chapter 9 About Security Requirements on a Trusted Extensions System

Configurable Security Features

Rules When Changing the Level of Security for Data

Chapter 10 Common Tasks in Trusted Extensions

Performing Common Tasks in Trusted Extensions

Chapter 11 About Users, Rights, and Roles in Trusted Extensions

User Security Features in Trusted Extensions

Administrator Responsibilities for Users

Decisions to Make Before Creating Users in Trusted Extensions

Default User Security Attributes in Trusted Extensions

Configurable User Attributes in Trusted Extensions

Security Attributes That Must Be Assigned to Users

Chapter 12 Managing Users, Rights, and Roles in Trusted Extensions

Customizing the User Environment for Security

Managing Users and Rights

Chapter 13 Managing Zones in Trusted Extensions

Zones in Trusted Extensions

Global Zone Processes and Labeled Zones

Primary and Secondary Labeled Zones

Zone Administration Utilities in Trusted Extensions

How to Display Ready or Running Zones

How to Display the Labels of Mounted Files

How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone

How to Disable the Mounting of Lower-Level Files

How to Share a ZFS Dataset From a Labeled Zone

How to Enable Files to Be Relabeled From a Labeled Zone

Chapter 14 Managing and Mounting Files in Trusted Extensions

Mount Possibilities in Trusted Extensions

Trusted Extensions Policies for Mounted File Systems

Results of Sharing and Mounting File Systems in Trusted Extensions

Multilevel Datasets for Relabeling Files

NFS Server and Client Configuration in Trusted Extensions

Trusted Extensions Software and NFS Protocol Versions

Backing Up, Sharing, and Mounting Labeled Files

Chapter 15 Trusted Networking

About the Trusted Network

Network Security Attributes in Trusted Extensions

Trusted Network Fallback Mechanism

About Routing in Trusted Extensions

Administration of Routing in Trusted Extensions

Administration of Labeled IPsec

Chapter 16 Managing Networks in Trusted Extensions

Labeling Hosts and Networks

Configuring Routes and Multilevel Ports

Configuring Labeled IPsec

Troubleshooting the Trusted Network

Chapter 17 About Multilevel Mail in Trusted Extensions

Multilevel Mail Service

Trusted Extensions Mail Features

Chapter 18 Managing Labeled Printing

Labels, Printers, and Printing

Managing Printing in Trusted Extensions

Configuring Labeled Printing

Reducing Printing Restrictions in Trusted Extensions

Chapter 19 Trusted Extensions and Auditing

Auditing in Trusted Extensions

Chapter 20 Software Management in Trusted Extensions

Adding Software to Trusted Extensions

Appendix A Site Security Policy for Trusted Extensions

Appendix B Configuration Checklist for Trusted Extensions

Appendix C Quick Reference to Trusted Extensions Administration

Appendix D List of Trusted Extensions Man Pages

Trusted Extensions Glossary

Language:

How to Disable the Mounting of Lower-Level Files

By default, users can view lower-level files. To prevent the viewing of all lower-level files from a particular zone, remove the net_mac_aware privilege from that zone. For a description of the net_mac_aware privilege, see the privileges(7) man page.

Before You Begin

You must be in the System Administrator role in the global zone.

Halt the zone whose configuration you want to change.
```
# zoneadm -z zone-name halt
```
Configure the zone to prevent the viewing of lower-level files.
Remove the net_mac_aware privilege from the zone.
```
# zonecfg -z zone-name
set limitpriv=default,!net_mac_aware
exit
```
Restart the zone.
```
# zoneadm -z zone-name boot
```

Example 19 Preventing Users From Viewing Lower-Level Files

In this example, the security administrator prevents users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.

# zoneadm -z restricted halt
# zonecfg -z restricted
set limitpriv=default,!net_mac_aware
exit
# zoneadm -z restricted boot

# zoneadm -z needtoknow halt
# zonecfg -z needtoknow
set limitpriv=default,!net_mac_aware
exit
# zoneadm -z needtoknow boot

# zoneadm -z internal halt
# zonecfg -z internal
set limitpriv=default,!net_mac_aware
exit
# zoneadm -z internal boot

Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.

Copyright © 1992, 2020, Oracle and/or its affiliates.