Creating Labeled Zones

The instructions in this section configure labeled zones on a system that has been assigned at most two IP addresses. For other configurations, see the configuration options in Planning for Multilevel Access.

Create a Default Trusted Extensions System

This procedure creates a working Trusted Extensions system with two labeled zones. The system is not networked to another system.

Before You Begin

You have completed Reboot and Log In to Trusted Extensions. You have assumed the root role.

1. Open a terminal window in the fourth workspace.
2. Read the txzonemgr man page.

   # man txzonemgr

3. Create a default configuration.

   # /usr/sbin/txzonemgr -c

   This command copies the Oracle Solaris OS and Trusted Extensions software to a zone, creates a snapshot of the zone, labels the original zone, then uses the snapshot to create a second labeled zone. The first labeled zone is based on the value of Default User Sensitivity Label in the label_encodings file. The second labeled zone is based on the value of Default User Clearance in the label_encodings file. This step can take about 20 minutes.

4. When prompted for a root password, press the F2 key twice.

   The root password for the labeled zones will be identical to the password for the global zone.

5. Go to Assign Labels to Two Zone Workspaces to use your Trusted Extensions configuration.

Create Labeled Zones Interactively

You do not have to create a zone for every label in your label_encodings file, but you can. The administrative GUIs enumerate the labels that can have zones created for them on this system. In this procedure, you create two labeled zones.

Before You Begin

You have completed Reboot and Log In to Trusted Extensions. You have assumed the root role.

You have not created a zone yet.

1. Run the txzonemgr command without any options.

   # txzonemgr &

   The script opens the Labeled Zone Manager dialog box. This zenity dialog box prompts you for the appropriate tasks, depending on the current state of your configuration.

   To perform a task, you select the menu item, then press the Return key or click OK. When you are prompted for text, type the text then press the Return key or click OK.

   ---

   Tip - To view the current state of zone completion, click Return to Main Menu in the Labeled Zone Manager.

   ---

2. Create the first zone.
   • For a default Trusted Extensions system, click OK to the following dialog box:

     Do you want to create the public zone using default settings?

     After the public zone is created, another terminal window appears. Its title is Zone Terminal Console: public. The public zone boots, initializes, and then prompts for the root password. Continue with Step 3.

   • To automatically create two zones for a customized labeled system, click OK to the following dialog box:

     Do you want to create the public zone using default settings?

     The system creates the PUBLIC zone for the minimum label in your label_encodings file.

     After the public zone is created, another terminal window appears. Its title is Zone Terminal Console: public. The public zone boots, initializes, and then prompts for the root password. Continue with Step 3.

   • To manually create zones for a customized labeled system, click the Create a Zone option.

     The system steps you through zone creation.Follow the prompts. After the zone is created, another terminal window appears. Its title is Zone Terminal Console: zonename. The zone boots, initializes, and then prompts for the root password.

3. Press the F2 key twice to provide the password for the root role.

   The zone reboots.

   The Labeled Zone Manager dialog box displays the state and options for the public zone.

4. Halt the zone by selecting Halt from the Labeled Zone Manager.

   In the Zone Terminal Console window, a notice appears: Notice: Zone Halted

5. From the zone options list, select Select another zone, and then select global.
6. Create the second zone by selecting Create a new zone:

   The prompt, Enter Zone Name:, appears.

7. Type needtoknow, or the name of your second labeled zone.

   ---

   Note - During automatic zone creation, the system takes the label from the Default User Clearance in your label_encodings file.

   ---

   A one-item list for the new zone appears.

8. Choose Select Label....
9. From the label selection dialog box, select NEED TO KNOW or the appropriate label from the Sensitivity column and click OK.
10. In the list of options for the zone, select Clone....
11. Select snapshot from the list of installed zones.

    snapshot is the only item in the list.

12. Select Boot.

Example 4-2 Creating Another Labeled Zone

The administrator wants to create a restricted zone from the default label_encodings file.

First, the administrator opens the txzonemgr script in interactive mode.

# txzonemgr &

Then, the administrator navigates to the global zone and names the new zone internal.

Create a new zone:internal

Then, the administrator navigates to the global zone and names the new zone restricted.

Create a new zone:internal

Then, the administrator applies the correct label.

Select label:INTERNAL

From the list, the administrator chooses to Clone ..., and chooses snapshot as the template for the new zone.

After the internal zone is available, the administrator chooses Boot.

Assign Labels to Two Zone Workspaces

This procedure creates two labeled workspaces and opens a labeled window in each labeled workspace. When this task is completed, you have a working, non-networked Trusted Extensions system.

Before You Begin

You have completed one of Create a Default Trusted Extensions System or Create Labeled Zones Interactively.

1. Create a PUBLIC workspace.

   If you are using a site-specific label_encodings file, you are creating a workspace from the value of Default Minimum Label.

   1. Switch to the second workspace.
   2. Right-click and select Change Workspace Label...
   3. Select PUBLIC and click OK.
2. Provide your password at the prompt.

   You are on the public desktop.

3. Open a terminal window.

   The window is labeled PUBLIC.

4. Create a NEEDTOKNOW workspace.

   If you are using a site-specific label_encodings file, you are creating a workspace from the value of Default User Clearance.

   1. Switch to the third workspace.
   2. Right-click and select Change Workspace Label...
   3. Select NEED TO KNOW and click OK.
5. Provide your password at the prompt.

   You are on the needtoknow desktop.

6. Open a terminal window.

   The window is labeled CONFIDENTIAL : NEED TO KNOW.

Next Steps

If you plan to communicate with other systems, go to Configure the Network Interfaces in Trusted Extensions. The default setup has completed the steps to connect the labeled zones to the global zone.

Configure the Network Interfaces in Trusted Extensions

Your Trusted Extensions system works without networking. Perform this task if you want to communicate with other systems on a network.

• The default configuration enables multilevel services in the global zone, such as the X server, to be used by the labeled zones over a shared, all-zones interface. This shared interface routes traffic between the labeled zones and the global zone. By default, the all-zones interface is a physical interface, such as bge0 or igb0.

  You have three other options by which services in the global zone can be used by labeled zones.

• First, for a system with more than one IP address, external traffic can arrive on the physical interface. This external traffic is routed to the labeled zones if the traffic is at the label of the zone. The shared interface is a logical interface. Multilevel services in the global zone, such as the X server, are used by the labeled zones over the shared interface. You must create the logical interface

• Second, on a system where each zone is assigned an IP address, you must manually create routes from each labeled zone to its labeled zone counterparts on other systems.

  To add zone-specific network interfaces, finish and verify zone creation before adding the interfaces. For the procedure, see Add a Network Interface to Route an Existing Labeled Zone.

• Third, on a DHCP system that is connecting with a provider,

Before You Begin

The public zone is halted.

The Labeled Zone Manager is displayed. To open this GUI, see Create Labeled Zones Interactively.

From the public zone options list, you have clicked Select another zone...

1. In the Labeled Zone Manager, select the global zone.
2. Select Configure Network Interfaces.

   A list of interfaces is displayed. Look for an interface that is listed with the following characteristics:

   • Type of physical

   • IP address of your hostname

   • Template of cipso

   • State of Up

3. Select the interface that corresponds to your hostname.
4. From the list of commands, select Share with Shared-IP Zones.
5. Click Cancel to return to the global zone command list.
6. To connect to other systems on your network that are running Trusted Extensions, select Add Multilevel Access to Remote Host...
   1. Type the IP address of another Trusted Extensions system.
   2. Run the corresponding commands on the other Trusted Extensions system.

Make the Global Zone an LDAP Client in Trusted Extensions

For LDAP, this procedure establishes the naming service configuration for the global zone. If you are not using LDAP, you can skip this procedure.

Use the txzonemgr script.

Before You Begin

The Sun Java System Directory Server, that is, the LDAP server, must exist. The server must be populated with Trusted Extensions databases, and this system must be able to contact the server. So, the system that you are configuring must have an entry in the tnrhdb database on the LDAP server, or this system must be included in a wildcard entry before you perform this procedure.

If an LDAP server that is configured with Trusted Extensions does not exist, you must complete the procedures in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks) before you perform this procedure.

1. If you are using DNS, modify the nsswitch.ldap file.
   1. Save a copy of the original nsswitch.ldap file.

      The standard naming service switch file for LDAP is too restrictive for Trusted Extensions.

      # cd /etc
      # cp nsswitch.ldap nsswitch.ldap.orig

   2. Change the nsswitch.ldap file entries for the following services.

      The correct entries are similar to the following:

      hosts:    files dns ldap
      
      ipnodes:    files dns ldap
      networks:   ldap files
      protocols:  ldap files
      rpc:        ldap files
      ethers:     ldap files
      netmasks:   ldap files
      bootparams: ldap files
      publickey:  ldap files
      
      services:   files

      Note that Trusted Extensions adds two entries:

      tnrhtp:    files ldap
      tnrhdb:    files ldap

   3. Copy the modified nsswitch.ldap file to nsswitch.conf.

      # cp nsswitch.ldap nsswitch.conf

2. To create an LDAP client, use the txzonemgr script.

   The Create LDAP Client menu item configures the global zone only.

   1. Follow the instructions in Create Labeled Zones Interactively.

      The title of the dialog box is Labeled Zone Manager.

   2. Select Create LDAP Client.
   3. Answer the following prompts and click OK after each answer:

      Enter Domain Name:                   Type the domain name
      Enter Hostname of LDAP Server:       Type the name of the server
      Enter IP Address of LDAP Server servername: Type the IP address
      Enter LDAP Proxy Password:       Type the password to the server
      Confirm LDAP Proxy Password:     Retype the password to the server
      Enter LDAP Profile Name:         Type the profile name

   4. Confirm or cancel the displayed values.

      Proceed to create LDAP Client?

      When you confirm, the txzonemgr script adds the LDAP client. Then, a window displays the command output.

3. In a terminal window, set the enableShadowUpdate parameter to TRUE.

   # ldapclient -v mod -a enableShadowUpdate=TRUE \
   > -a adminDN=cn=admin,ou=profile,dc=domain,dc=suffix
   System successfully configured

   The txzonemgr script runs the ldapclient init command only. In Trusted Extensions, you must also modify an initialized LDAP client to enable shadow updates.

4. Verify that the information on the server is correct.
   1. Open a terminal window, and query the LDAP server.

      # ldapclient list

      The output looks similar to the following:

      NS_LDAP_FILE_VERSION= 2.0
      NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=domain-name
      ...
      NS_LDAP_BIND_TIME= number

   2. Correct any errors.

      If you get an error, create the LDAP client again and supply the correct values. For example, the following error can indicate that the system does not have an entry on the LDAP server:

      LDAP ERROR (91): Can't connect to the LDAP server.
      Failed to find defaultSearchBase for domain domain-name

      To correct this error, you need to check the LDAP server.

Example 4-3 Using Host Names After Loading a resolv.conf File

In this example, the administrator wants a particular set of DNS servers to be available to the system. The administrator copies a resolv.conf file from a server on a trusted net. Because DNS is not yet active, the administrator uses the server's IP address to locate the server.

# cd /etc
# cp /net/10.1.1.2/export/txsetup/resolv.conf resolv.conf

After the resolv.conf file is copied and the nsswitch.conf file includes dns in the hosts entry, the administrator can use host names to locate systems.