| Skip Navigation Links | |
| Exit Print View | |
|
Solaris Trusted Extensions Reference Manual |
- trusted network zone configuration database
/etc/security/tsol/tnzonecfg
The tnzonecfg database is a list of Solaris Trusted Extensions zone configuration entries for the local host. The database is indexed by zone name. Each configuration entry specifies a zone's label, multilevel port (MLP), and other zone-related information for zone creation.
Each entry in the zone configuration database consists of five fields. Each entry is on one long line, with fields of the entry separated by colons (:).
zone-name:label:network-policy:zone-mlp-list:shared-mlp-list global:ADMIN_LOW:1:6000-6003/tcp:6000-6003/tcp
A pound sign (#) as the first character of a line indicates a comment line, which is ignored.
Is the name for the zone. This name is used when the zone is configured. See zonecfg(1M), under the -z zonename option, for the constraints on zone names.
Is the label for the zone. This field is used to label the zone when the zone is booted. The label can be in shortened hexadecimal format or in text format. The labels are defined in the label_encodings file. Each zone must have a unique label.
Is the policy for handling all non-transport traffic. This field is used to decide for non-MLP traffic if an exact zone label is required or if a label range match is allowed. The value 0 indicates strict zone label matching for inbound packets. If this field is set to 1, the receiving host accepts packets within the host's accreditation range.
ICMP packets that are received on the global zone IP address are accepted based on the label range of the global zone's tnrhtp entry if the global zone's network-policy field is set to 1. When this field is set to 0 for a zone, the zone will not respond to an ICMP echo request from a host with a different label.
Is the multilevel port configuration entry for a zone on the IP addresses that belong to that zone. zone-mlp-list is a list of semicolon-separated MLP configuration entries. Each MLP configuration entry is specified by port/protocol or port-range/protocol. For example, 6001-6003/tcp means that tcp ports 6001, 6002, and 6003 are all MLPs.
An MLP is used to provide multilevel service in the global zone as well as in non-global zones. As an example of how a non-global zone can use an MLP, consider setting up two labeled zones, internal and public. The internal zone can access company networks; the public zone can access public internet but not the company's internal networks. For safe browsing, when a user in the internal zone wants to browse the Internet, the internal zone browser forwards the URL to the public zone, and the web content is then displayed in a public zone web browser. That way, if the download in public zone compromises the web browser, it cannot affect the company's internal network. To set this up, tcp port 8080 in the public zone is an MLP (8080/tcp), and the tnrhtp template for the public zone has a label range from PUBLIC to INTERNAL.
Is the multilevel port configuration entry for shared IP addresses. shared-mlp-list is a list of semicolon-separated MLP configuration entries. Each MLP configuration entry is specified by port/protocol. Other zones do not have access to this port/protocol on shared interfaces. It is a configuration error to specify the same port/protocol in the shared-mlp-list field of more than one zone.
A shared IP address can reduce the total number of IP addresses that are needed on the system, especially when configuring a large number of zones. If network traffic is received on a shared interface, on a port that is specified in a zone's shared-mlp-list, the traffic cannot be received by other zones.
After each modification to the tnzonecfg database, the administrator should run tnchkdb(1M) to check the syntax. If this database is modified while the network is up, the changes do not take effect until tnctl(1M) updates the kernel.
Example 1 Sample Zone Configuration Entries
In the database file, each zone entry is made on a single line.
In this example, there are four non-global zones: public, internal, needtoknow, and restricted. Only the global zone and the public zone have MLPs.
In the global entry, the zone-mlp-list value of 111/tcp;111/udp;2049/tcp;6000-6003/tcp specifies these ports as MLPs in the global zone only. The shared-mlp-list value of 6000-6003/tcp specifies these ports as MLPs for the shared IP addresses, that is, for the labeled zones. With a network-policy of 1, only the global zone accepts incoming packets from a host whose label is different from its own.
In the public entry, the network-policy value of 0 restricts it to receiving public non-transport traffic. The zone-mlp-list value of 8080/tcp makes the public zone's web browser port an MLP.
The 8080 tcp port in the other zones is a single-level port, so is not listed. Similarly, each labeled zone has a single–level 111 port, 2049 port, and so on.
#
# Sample global zone configuration file
#
# Multilevel Port (MLP) specification:
#
# MLP PURPOSE
# --- -------
# 111 Port Mapper
# 2049 NFSv4 server
# 6000-6003 Multilevel Desktop
#
global:ADMIN_LOW:1:111/tcp;111/udp;2049/tcp;6000-6003/tcp:6000-6003/tcp
public:PUBLIC:0:8080/tcp:
internal:0x0004-08-48:0::
needtoknow:0x0004-08-68:0::
restricted:0x0004-08-78:0::See attributes(5) for descriptions of the following attributes:
|
Trusted network zone configuration database
smtnzonecfg(1M), tnchkdb(1M), tnctl(1M), tnd(1M), tninfo(1M), zonecfg(1M), label_encodings(4), tnrhdb(4), tnrhtp(4), attributes(5)
Solaris Management Console Tools in Solaris Trusted Extensions Administrator’s Procedures
|