| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
Zones and IP Addresses in Trusted Extensions
Zones and ICMP in Trusted Extensions
Global Zone Processes and Labeled Zones
Zone Administration Utilities in Trusted Extensions
How to Display Ready or Running Zones
How to Display the Labels of Mounted Files
How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone
How to Disable the Mounting of Lower-Level Files
How to Share a ZFS Dataset From a Labeled Zone
How to Enable Files to be Relabeled From a Labeled Zone
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following task map describes zone management tasks that are specific to Trusted Extensions. The map also points to common procedures that are performed in Trusted Extensions just as they are performed on an Oracle Solaris system.
|
This procedure creates a shell script that displays the labels of the current zone and all zones that the current zone dominates.
You must be in the System Administrator role in the global zone.
Provide the pathname to the script, such as /usr/local/scripts/getzonelabels.
#!/bin/sh
#
echo "NAME\t\tSTATUS\t\tLABEL"
echo "====\t\t======\t\t====="
myzone=`zonename`
for i in `/usr/sbin/zoneadm list -p` ; do
zone=`echo $i | cut -d ":" -f2`
status=`echo $i | cut -d ":" -f3`
path=`echo $i | cut -d ":" -f4`
if [ $zone != global ]; then
if [ $myzone = global ]; then
path=$path/root/tmp
else
path=$path/export/home
fi
fi
label=`/usr/bin/getlabel -s $path |cut -d ":" -f2-9`
if [ `echo $zone|wc -m` -lt 8 ]; then
echo "$zone\t\t$status\t$label"
else
echo "$zone\t$status\t$label"
fi
done# getzonelabels NAME STATUS LABEL ==== ====== ===== global running ADMIN_HIGH needtoknow running CONFIDENTIAL : NEED TO KNOW restricted ready CONFIDENTIAL : RESTRICTED internal running CONFIDENTIAL : INTERNAL public running PUBLIC
When run from the global zone, the script displays the labels of all ready or running zones. Here is the global zone output for the zones that were created from the default label_encodings file:
Example 16-1 Displaying the Labels of All Ready or Running Zones
In the following example, a user runs the getzonelabels script in the internal zone.
# getzonelabels NAME STATUS LABEL ==== ====== ===== internal running CONFIDENTIAL : INTERNAL public running PUBLIC
This procedure creates a shell script that displays the mounted file systems of the current zone. When run from the global zone, the script displays the labels of all mounted file systems in every zone.
You must be in the System Administrator role in the global zone.
Provide the pathname to the script, such as /usr/local/scripts/getmounts.
#!/bin/sh
#
for i in `/usr/sbin/mount -p | cut -d " " -f3` ; do
/usr/bin/getlabel $i
done# /usr/local/scripts/getmounts /: ADMIN_LOW /dev: ADMIN_LOW /kernel: ADMIN_LOW /lib: ADMIN_LOW /opt: ADMIN_LOW /platform: ADMIN_LOW /sbin: ADMIN_LOW /usr: ADMIN_LOW /var/tsol/doors: ADMIN_LOW /zone/needtoknow/export/home: CONFIDENTIAL : NEED TO KNOW /zone/internal/export/home: CONFIDENTIAL : INTERNAL USE ONLY /zone/restricted/export/home: CONFIDENTIAL : RESTRICTED /proc: ADMIN_LOW /system/contract: ADMIN_LOW /etc/svc/volatile: ADMIN_LOW /etc/mnttab: ADMIN_LOW /dev/fd: ADMIN_LOW /tmp: ADMIN_LOW /var/run: ADMIN_LOW /zone/public/export/home: PUBLIC /root: ADMIN_LOW
Example 16-2 Displaying the Labels of File Systems in the restricted Zone
When run from a labeled zone by a regular user, the getmounts script displays the labels of all the mounted file systems in that zone. On a system where zones are created for every label in the default label_encodings file, the following is the output from the restricted zone:
# /usr/local/scripts/getmounts /: CONFIDENTIAL : RESTRICTED /dev: CONFIDENTIAL : RESTRICTED /kernel: ADMIN_LOW /lib: ADMIN_LOW /opt: ADMIN_LOW /platform: ADMIN_LOW /sbin: ADMIN_LOW /usr: ADMIN_LOW /var/tsol/doors: ADMIN_LOW /zone/needtoknow/export/home: CONFIDENTIAL : NEED TO KNOW /zone/internal/export/home: CONFIDENTIAL : INTERNAL USE ONLY /proc: CONFIDENTIAL : RESTRICTED /system/contract: CONFIDENTIAL : RESTRICTED /etc/svc/volatile: CONFIDENTIAL : RESTRICTED /etc/mnttab: CONFIDENTIAL : RESTRICTED /dev/fd: CONFIDENTIAL : RESTRICTED /tmp: CONFIDENTIAL : RESTRICTED /var/run: CONFIDENTIAL : RESTRICTED /zone/public/export/home: PUBLIC /home/gfaden: CONFIDENTIAL : RESTRICTED
This procedure enables a user in a specified labeled zone to view files that are not exported from the global zone by default.
You must be in the System Administrator role in the global zone.
# zoneadm -z zone-name halt
For example, enable ordinary users to view a file in the /etc directory.
# zonecfg -z zone-name add filesystem set special=/etc/filename set directory=/etc/filename set type=lofs add options [ro,nodevices,nosetuid] end exit
Note - Certain files are not used by the system, so that loopback mounting them has no effect. For example, the /etc/dfs/dfstab file in a labeled zone is not checked by Trusted Extensions software. For more information, see Sharing Files From a Labeled Zone.
# zoneadm -z zone-name boot
Example 16-3 Loopback Mounting the /etc/passwd file
In this example, the security administrator wants to enable testers and programmers to check that their local passwords are set. After the sandbox zone is halted, it is configured to loopback mount the passwd file. Then, the zone is restarted.
# zoneadm -z sandbox halt # zonecfg -z sandbox add filesystem set special=/etc/passwd set directory=/etc/passwd set type=lofs add options [ro,nodevices,nosetuid] end exit # zoneadm -z sandbox boot
By default, users can view lower-level files. Remove the net_mac_aware privilege to prevent the viewing of all lower-level files from a particular zone. For a description of the net_mac_aware privilege, see the privileges(5) man page.
You must be in the System Administrator role in the global zone.
# zoneadm -z zone-name halt
Remove the net_mac_aware privilege from the zone.
# zonecfg -z zone-name set limitpriv=default,!net_mac_aware exit
# zoneadm -z zone-name boot
Example 16-4 Preventing Users From Viewing Lower-Level Files
In this example, the security administrator wants to prevent users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.
# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,!net_mac_aware exit # zoneadm -z restricted boot
# zoneadm -z needtoknow halt # zonecfg -z needtoknow set limitpriv=default,!net_mac_aware exit # zoneadm -z needtoknow boot
# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,!net_mac_aware exit # zoneadm -z internal boot
Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.
In this procedure, you mount a ZFS dataset with read/write permissions in a labeled zone. Because all commands are executed in the global zone, the global zone administrator controls the addition of ZFS datasets to labeled zones.
At a minimum, the labeled zone must be in the ready state to share a dataset. The zone can be in the running state.
To configure the zone with the dataset, you first halt the zone.
# zfs create datasetdir/subdir
The name of the dataset can include a directory, such as zone/data.
# zoneadm -z labeled-zone-name halt
# zfs set mountpoint=legacy datasetdir/subdir
Setting the ZFS mountpoint property sets the label of the mount point when the mount point corresponds to a labeled zone.
# zonecfg -z labeled-zone-name # zonecfg:labeled-zone-name> add fs # zonecfg:labeled-zone-name:dataset> set dir=/subdir # zonecfg:labeled-zone-name:dataset> set special=datasetdir/subdir # zonecfg:labeled-zone-name:dataset> set type=zfs # zonecfg:labeled-zone-name:dataset> end # zonecfg:labeled-zone-name> exit
By adding the dataset as a file system, the dataset is mounted at /data in the zone before the dfstab file is interpreted. This step ensures that the dataset is not mounted before the zone is booted. Specifically, the zone boots, the dataset is mounted, then the dfstab file is interpreted.
Add an entry for the dataset file system to the /zone/labeled-zone-name/etc/dfs/dfstab file. This entry also uses the /subdir pathname.
share -F nfs -d "dataset-comment" /subdir
# zoneadm -z labeled-zone-name boot
When the zone is booted, the dataset is mounted automatically as a read/write mount point in the labeled-zone-name zone with the label of the labeled-zone-name zone.
Example 16-5 Sharing and Mounting a ZFS Dataset From Labeled Zones
In this example, the administrator adds a ZFS dataset to the needtoknow zone and shares the dataset. The dataset, zone/data, is currently assigned to the /mnt mount point. Users in the restricted zone can view the dataset.
First, the administrator halts the zone.
# zoneadm -z needtoknow halt
Because the dataset is currently assigned to a different mount point, the administrator removes the previous assignment, then sets the new mount point.
# zfs set zoned=off zone/data # zfs set mountpoint=legacy zone/data
Next, in the zonecfg interactive interface, the administrator explicitly adds the dataset to the needtoknow zone.
# zonecfg -z needtoknow # zonecfg:needtoknow> add fs # zonecfg:needtoknow:dataset> set dir=/data # zonecfg:needtoknow:dataset> set special=zone/data # zonecfg:needtoknow:dataset> set type=zfs # zonecfg:needtoknow:dataset> end # zonecfg:needtoknow> exit
Next, the administrator modifies the /zone/needtoknow/etc/dfs/dfstab file to share the dataset, then boots the needtoknow zone.
## Global zone dfstab file for needtoknow zone share -F nfs -d "App Data on ZFS" /data
# zoneadm -z needtoknow boot
The dataset is now accessible.
Users in the the restricted zone, which dominates the needtoknow zone, can view the mounted dataset by changing to the /data directory. They use the full path to the mounted dataset from the perspective of the global zone. In this example, machine1 is the host name of the system that includes the labeled zone. The administrator assigned this host name to a non-shared IP address.
# cd /net/machine1/zone/needtoknow/root/data
If the attempt to reach the dataset from the higher label returns the error not found or No such file or directory, the administrator must restart the automounter service by running the svcadm restart autofs command.
This procedure is a prerequisite for a user to be able to relabel files.
You must be in the Security Administrator role in the global zone.
# zoneadm -z zone-name halt
Add the appropriate privileges to the zone. The windows privileges enable users to use drag-and-drop and cut-and-paste operations.
# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,file_downgrade_sl exit
# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_upgrade_sl exit
# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_downgrade_sl, file_upgrade_sl exit
# zoneadm -z zone-name boot
For the user and process requirements that permit relabeling, see the setflabel(3TSOL) man page. To authorize a user to relabel files, see How to Enable a User to Change the Security Level of Data.
Example 16-6 Enabling Upgrades From the internal Zone
In this example, the security administrator wants to enable authorized users on a system to upgrade files. By enabling users to upgrade information, the administrator enables them to protect the information at a higher level of security. In the global zone, the administrator runs the following zone administration commands.
# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,sys_trans_label,file_upgrade_sl exit # zoneadm -z internal boot
Authorized users can now upgrade internal information to restricted from the internal zone.
Example 16-7 Enabling Downgrades From the restricted Zone
In this example, the security administrator wants to enable authorized users on a system to downgrade files. Because the administrator does not add windows privileges to the zone, authorized users cannot use the File Manager to relabel files. To relabel files, users use the setlabel command.
By enabling users to downgrade information, the administrator permits users at a lower level of security to access the files. In the global zone, the administrator runs the following zone administration commands.
# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,file_downgrade_sl exit # zoneadm -z restricted boot
Authorized users can now downgrade restricted information to internal or public from the restricted zone by using the setlabel command.
This procedure is used to enable NFSv3 read-down mounts over udp.
You must be in the Security Administrator role in the global zone.
Modify the tnzonecfg database by doing one of the following:
# /usr/sbin/txzonemgr
Fill in the appropriate information.
The format is the following:
zone-name:label:network-policy:zone-port/protocol-list:shared-port/protocol-list
## tnzonecfg database global:ADMIN_LOW:1:111/tcp;111/udp;2049/tcp;6000-6003/tcp ;2049/udp:6000-6003/tcp;2049/udp
# tnctl -fz /etc/security/tsol/tnzonecfg
This procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone.
You must be in the Security Administrator role in the global zone. The labeled zone must exist. For details, see Creating Labeled Zones.
## /etc/hosts file ... proxy-host-name IP-address web-service-host-name IP-address
Modify the tnzonecfg database by doing one of the following:
# /usr/sbin/txzonemgr
Fill in the appropriate information.
The format is the following:
zone-name:label:network-policy:zone-port/protocol-list:shared-port/protocol-list
For example, you might configure a web service as follows:
public:PUBLIC:1:8080/tcp:8080/tcp
Use the atohexlabel command. For more information, see the atohexlabel(1M) man page.
# atohexlabel public 0x0002-08-08
Use the hexadecimal version of the PUBLIC label.
## /etc/security/tnrhtp ... host-name:host_type=cipso;doi=1;min_sl=0x0002-08-08; max_sl=0x0002-08-08;sl_set=0x0002-08-08
The entry uses the security template name, host-name.
## /etc/security/tnrhdb ... zone-IP-address:host-name
# zoneadm -z zone-name boot
For example, if the zones have a shared IP address, do the following:
# route add proxy labeled-zone-IP-address # route add webservice labeled-zone-IP-address
|