Creating Labeled Zones

The instructions in this section configure labeled zones on a system that has been assigned at most two IP addresses. For other configurations, see the configuration options in Task Map: Preparing For and Enabling Trusted Extensions.

Run the txzonemgr Script

This script steps you through the tasks to properly configure, install, initialize, and boot labeled zones. In the script, you name each zone, associate the name with a label, install the packages to create a virtual OS, and then boot the zone to start services in that zone. The script includes copy zone and clone zone tasks. You can also halt a zone, change the state of a zone, and add zone-specific network interfaces.

This script presents a dynamically-determined menu that displays only valid choices for the current circumstances. For instance, if the status of a zone is configured, the Install zone menu item is not displayed. Tasks that are completed do not display in the list.

Before You Begin

You have assumed the root role.

1. Open a terminal window in the fourth workspace.

2. Run the txzonemgr script.

   # /usr/sbin/txzonemgr

   The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your installation.

   To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.

   ---

   Tip –

   To view the current state of zone completion, click Return to Main Menu in the Labeled Zone Manager.

   ---

Create the First Labeled Zone

You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system.

Before You Begin

You are in the root role. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.

You have not created a zone yet.

1. Click OK to the following dialog box:

   Do you want to create the public zone using default settings?

   After the public zone is created, another terminal window appears. Its title is Zone Terminal Console: public. The public zone boots, initializes, and then prompts for the root password.

2. Press the F2 key twice to provide the password for the root role.

   The zone reboots.

   The Labeled Zone Manager dialog box displays the state and options for the public zone.

3. Halt the public zone by selecting Halt from the Labeled Zone Manager.

   In the Zone Terminal Console window, a notice appears: Notice: Zone Halted

4. From the public zone options list, click Select another zone...

Configure the Network Interfaces in Trusted Extensions

In this task, you configure the networking in the global zone. You must create exactly one all-zones interface. An all-zones interface is shared by the labeled zones and the global zone. The shared interface is used to route traffic between the labeled zones and the global zone. To configure this interface, do one of the following:

• Create a logical interface from a physical interface, then share the physical interface.

  This configuration is the simplest to administer. Choose this configuration when your system has been assigned two IP addresses. In this procedure, the logical interface becomes the global zone's specific address, and the physical interface is shared between the global zone and the labeled zones.

• Share a physical interface

  Choose this configuration when your system has been assigned one IP address. In this configuration, the physical interface is shared between the global zone and the labeled zones.

• Share a virtual network interface, vni0

  Choose this configuration when you are configuring DHCP, or when each subnetwork is at a different label. For a sample procedure, refer to the laptop instructions in the Trusted Extensions section of OpenSolaris Community: Security web page.

  In the Solaris Express Community Edition, the loopback interface in Trusted Extensions is created as an all-zones interface. Therefore, you do not need to create a vni0 shared interface.

To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to Route an Existing Labeled Zone.

Before You Begin

The public zone is halted.

The Labeled Zone Manager is displayed. To open this GUI, see Run the txzonemgr Script.

From the public zone options list, you have clicked Select another zone...

1. In the Labeled Zone Manager, select the global zone.

2. Select Configure Network Interfaces.

   A list of interfaces is displayed. Look for an interface that is listed with the following characteristics:

   • Type of physical

   • IP address of your hostname

   • Template of cipso

   • State of Up

3. Select the interface that corresponds to your hostname.

4. From the list of commands, select Share with Shared-IP Zones.

5. Click Cancel to return to the global zone command list

6. To connect to other systems on your network that are running Trusted Extensions, select Add Multilevel Access to Remote Host...

   1. Type the IP address of another Trusted Extensions system.

   2. Run the corresponding commands on the other Trusted Extensions system.

Clone the First Zone in Trusted Extensions

Before You Begin

You have completed Create the First Labeled Zone and Configure the Network Interfaces in Trusted Extensions. The public zone is still halted.

The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.

1. From the Labeled Zone Manager, select Create a new zone...

   You are prompted to Enter Zone Name.

2. Type snapshot as the zone name.

   A list of options appear for the snapshot zone.

3. Select Clone...

   A list of installed zones appears. The list includes the name public.

4. Double-click public.

   The snapshot zone does not install automatically, so select Set Manual Booting The snapshot zone doesn't need a label since it is never booted. Verify the Boot option is not available.

5. Select Set Manual Booting.

   The snapshot zone is never booted, therefore it does not need a label. Verify that the Boot option is not available.

Verify the Status of the Public Zone

The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use the X server. Therefore, zone networking must work before a zone can be used. For background information, see Planning for Multilevel Access.

Before You Begin

The Labeled Zone Manager dialog box displays the global zone.

1. Select Select another zone and choose public.

   Enter the IP address of a system on your network not running TX. Then enter Boot You see the zone booting messages in the Zone Console window. Login as root, and run ifconfig -a Verify that the primary interface and IP address are available in this zone. Verify that you can ping the host to which you previously added remote access. Now logout and close the Zone Console window.

2. Select Add Single-level Access to Remote Host...

   1. At the prompt, type the IP address of a system on your network that is not running Trusted Extensions.

   2. Select Boot.

      Zone booting messages appear in the Zone Console Terminal window.

3. In the public: Zone Console Terminal window, log in as root.

4. Run the ifconfig -a command.

   # ifconfig -a

   Verify that the primary interface and IP address are available in this zone.

5. Verify that you can ping the host to which you previously added single-level access.

   # ping remote-single-level-host

6. Log out and close the Zone Console Terminal window.

Create a Zone From the Snapshot

This procedure creates the internal zone. Use this procedure to create the rest of your labeled zones.

Before You Begin

You are in the root role. The Labeled Zone Manager dialog box is displayed. To open this GUI, see Run the txzonemgr Script.

You have completed Clone the First Zone in Trusted Extensions.

1. In the Labeled Zone Manager, select Select another zone.

2. Choose global.

3. Select Create a new zone:

   The prompt, Enter Zone Name:, appears

4. Type internal.

   A one-item list for the internal zone appears.

5. Choose Select Label....

6. From the label selection dialog box, select INTERNAL USE ONLY from the Sensitivity column and click OK.

7. In the list of options for the internal zone, select Clone....

8. Select snapshot from the list of installed zones.

   snapshotis the only item in the list.

9. Select Boot.

Activate Two Zone Workspaces

This procedure creates two labeled workspaces and opens a labeled window in a labeled workspace

Before You Begin

You have completed Create a Zone From the Snapshot.

1. Go to the first workspace.

   The desktop background should appear.

2. Open a terminal window.

   The window is labeled PUBLIC.

3. Create a workspace with a different label.

   1. Switch to the second workspace.

   2. Right-click and select Change Workspace Label...

   3. Select INTERNAL USE ONLY and click OK.

4. Open a terminal window.

   The window is labeled CONFIDENTIAL : INTERNAL USE ONLY.