By default, users can view lower-level files. Remove the net_mac_aware privilege to prevent the viewing of all lower-level files from a particular zone. For a description of the net_mac_aware privilege, see the privileges(5) man page.
You must be in the System Administrator role in the global zone.
Halt the zone whose configuration you want to change.
# zoneadm -z zone-name halt |
Configure the zone to prevent the viewing of lower-level files.
Remove the net_mac_aware privilege from the zone.
# zonecfg -z zone-name set limitpriv=default,!net_mac_aware exit |
Restart the zone.
# zoneadm -z zone-name boot |
In this example, the security administrator wants to prevent users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.
# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,!net_mac_aware exit # zoneadm -z restricted boot |
# zoneadm -z needtoknow halt # zonecfg -z needtoknow set limitpriv=default,!net_mac_aware exit # zoneadm -z needtoknow boot |
# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,!net_mac_aware exit # zoneadm -z internal boot |
Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.