Oracle Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Create a Multilevel Port for a Zone

This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone. The Solaris Management Console is used to add the MLP.

Before You Begin

You must be in the Security Administrator role in the global zone. The labeled zone must exist. For details, see Creating Labeled Zones in Oracle Solaris Trusted Extensions Configuration Guide.

  1. Start the Solaris Management Console.

    For details, see How to Administer the Local System With the Solaris Management Console.

  2. Choose the Files toolbox.

    The title of the toolbox includes Scope=Files, Policy=TSOL.

  3. Add the proxy host and the webservices host to the list of computers.

    1. Under System Configuration, navigate to the Computers and Networks tool.

    2. In the Computers tool, click the Action menu and choose Add Computer.

    3. Add the host name and IP address for the proxy host.

    4. Save the changes.

    5. Add the host name and IP address for the webservice host.

    6. Save the changes.

  4. Configure the zone and the MLP.

    1. Navigate to the Trusted Network Zones tool.

    2. Select the labeled zone.

    3. In the MLP Configuration for Local IP Addresses section, specify the appropriate port/protocol field.

    4. Save the changes.

  5. For the zone, customize a template by completing the following steps:

    1. Navigate to the Security Templates tool.

      Click the Action menu and choose Add Template.

    2. Use the host name for the template name.

    3. Specify CIPSO for the Host Type.

    4. Use the label of the zone for the Minimum Label and for the Maximum Label.

    5. Assign the zone label to the Security Label Set.

    6. Select the Hosts Explicitly Assigned tab.

    7. In the Add an Entry section, add the IP address that is associated with the zone.

    8. Save the changes.

  6. Close the Solaris Management Console.

  7. Start the zones.

    # zoneadm -z zone-name boot
  8. In the global zone, add routes for the new addresses.

    For example, if the zones have a shared IP address, do the following:

    # route add proxy labeled-zones-IP-address
    # route add webservice labeled-zones-IP-address