JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Configuration and Administration     Oracle Solaris 11 Express 11/10
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone and Logging In to Trusted Extensions

Check and Install Your Label Encodings File

Enable IPv6 Networking in Trusted Extensions

Configure the Domain of Interpretation

Reboot and Log In to Trusted Extensions

Creating Labeled Zones

Create a Default Trusted Extensions System

Create Labeled Zones Interactively

Assign Labels to Two Zone Workspaces

Configure the Network Interfaces in Trusted Extensions

Make the Global Zone an LDAP Client in Trusted Extensions

Adding Network Interfaces and Routing to Labeled Zones

Add a Network Interface to Route an Existing Labeled Zone

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

Configure a Name Service Cache in Each Labeled Zone

Creating Roles and Users in Trusted Extensions

Create the Security Administrator Role in Trusted Extensions

Create a System Administrator Role

Create Users Who Can Assume Roles in Trusted Extensions

Verify That the Trusted Extensions Roles Work

Enable Users to Log In to a Labeled Zone

Creating Home Directories in Trusted Extensions

Create the Home Directory Server in Trusted Extensions

Enable Users to Access Their Home Directories in Trusted Extensions

Troubleshooting Your Trusted Extensions Configuration

Labeled Zone Is Unable to Access the X Server

Public Zone Does Not Connect to Global Zone

Desktop Panels Do Not Display

Additional Trusted Extensions Configuration Tasks

How to Copy Files to Portable Media in Trusted Extensions

How to Copy Files From Portable Media in Trusted Extensions

How to Remove Trusted Extensions From the System

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Adding Network Interfaces and Routing to Labeled Zones

The following tasks support environments where each zone is connected to a separate physical network.

Task
Description
For Instructions
EITHER 1a: Add a network interface to each labeled zone and use the global zone to reach the external network.
Connects each labeled zone to a separate physical network. The labeled zones use the network routing that the global zone provides.
Add a Network Interface to Route an Existing Labeled Zone
OR 1b: Add a network interface to each labeled zone with a default route.
Connects each zone to a separate physical network. The labeled zones do not use the global zone for routing.
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
2. Create a name service cache in each labeled zone.
Configures a name service daemon for each zone.
Configure a Name Service Cache in Each Labeled Zone

Add a Network Interface to Route an Existing Labeled Zone

This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each labeled zone is connected to a separate physical network. The labeled zones use the network routing that the global zone provides.

Note - The global zone must configure an IP address for every subnet in which a non-global zone address is configured.

Before You Begin

You are in the root role in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones.

  1. In the global zone, type the IP addresses and hostnames for the additional network interfaces into the /etc/hosts file.

    Use a standard naming convention, such as adding -zone-name to the name of the host.

    ## /etc/hosts in global zone
10.10.8.2   hostname-zone-name1
10.10.8.3   hostname-global-name1
10.10.9.2   hostname-zone-name2
10.10.9.3   hostname-global-name2
  2. For the network for each interface, add entries to the /etc/netmasks file.
    ## /etc/netmasks in global zone
10.10.8.0 255.255.255.0
10.10.9.0 255.255.255.0

    For more information, see the netmasks(4) man page.

  3. In the global zone, plumb the zone-specific physical interfaces.
    1. Identify the physical interfaces that are already plumbed.
      # ipadm show-if
IFNAME     STATE    CURRENT      PERSISTENT
lo0        ok       -m-v------46 ---
bge0       ok       bm--------4- ---
    2. Configure the global zone addresses on each interface.
      # ipadm create-addr-T static -a 10.10.8.3 addrobj
# ipadm create-addr-T static -a 10.10.9.3 addrobj

      where addrobj has the format: interface-nameN#/random-string, as in igb0/static1.

      For example, you might create the following address objects:

      # ipadm create-addr-T static -a 10.10.8.3 bge0/zone1
# ipadm create-addr-T static -a 10.10.9.3 bge0/zone2

    The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.

  4. Assign a security template to each zone-specific network interface.

    If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.

    You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map).

  5. Halt every labeled zone to which you plan to add a zone-specific interface.
    # zoneadm -z zone-name halt
  6. Start the Labeled Zone Manager.
    # /usr/sbin/txzonemgr
  7. For each zone where you want to add a zone-specific interface, do the following:
    1. Select the zone.
    2. Select Add Network.
    3. Name the network interface.
    4. Type the IP address of the interface.
  8. In the Labeled Zone Manager for every completed zone, select Zone Console.
  9. Select Boot.
  10. In the Zone Console, verify that the interfaces have been created.
    # ipadm show-if
  11. Verify that the zone has a route to the gateway for the subnet.
    # netstat -rn
Troubleshooting

To debug zone configuration, see the following:

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

This procedure sets zone-specific default routes for existing labeled zones. In this configuration, the labeled zones do not use the global zone for routing.

The labeled zone must be plumbed in the global zone before the zone is booted. However, to isolate the labeled zone from the global zone, the interface must be in the down state when the zone is booted. For more information, see Zone Network Interfaces in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.

Note - A unique default route must be configured for every non-global zone that is booted.

Before You Begin

You are in the root role in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones. You are using either the vni0 interface or the lo0 interface to connect the labeled zones to the global zone.

  1. For every network interface, determine its IP address, netmask, and default router.

    Use the ipadm show-addr command to determine the IP address and netmask. Use the zonecfg -z zonename info net command to determine if a default router has been assigned.

  2. Create an empty /etc/hostname.interface file for each labeled zone.
    # touch /etc/hostname.interface
# touch /etc/hostname.interface:n

    For more information, see the netmasks(4) man page.

  3. Create plumbed network interfaces for the labeled zones.
    # ipadm create-if zone1-network-interface
# ipadm create-if zone2-network-interface
  4. Verify that the labeled zone's interfaces are disabled.
    # ipadm show-if
IFNAME        STATE       CURRENT      PERSISTENT
bge0/zone1    disabled    -m-v----46      ---
bge0/zone2    disabled    -m-v----46      ---

    The zone-specific addresses are configured when the zone is booted.

  5. For the network for each interface, add entries to the /etc/netmasks file.
    ## /etc/netmasks in global zone
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0

    For more information, see the netmasks(4) man page.

  6. Assign a security template to each zone-specific network interface.

    Create security templates of host type cipso that reflect the label of every network. To create and assign the templates, see Configuring Trusted Network Databases (Task Map).

  7. Run the txzonemgr script, and open a separate terminal window.

    In the Labeled Zone Manager, you will add the network interfaces for the labeled zones. In the terminal window, you will display information about the zone and set the default router.

  8. For every zone to which you are going to add a zone-specific network interface and router, complete the following steps:
    1. In the terminal window, halt the zone.
      # zoneadm -z zone-name halt
    2. In the Labeled Zone Manager, do the following:
      1. Select the zone.
      2. Select Add Network.
      3. Name the network interface.
      4. Type the IP address of the interface.
      5. In the terminal window, verify the zone configuration.
        # zonecfg -z zone-name info net
net:   address: IP-address
       physical: zone-network-interface
       defrouter not specified
    3. In the terminal window, configure the default router for the labeled zone's network.
      # zonecfg -z zone-name
zonecfg:zone-name > select net address=IP-address 
zonecfg:zone-name:net> set defrouter=router-address 
zonecfg:zone-name:net> end 
zonecfg:zone-name > verify 
zonecfg:zone-name > commit 
zonecfg:zone-name > exit 
#

      For more information, see the zonecfg(1M) man page and How to Configure the Zone in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.

    4. Boot the labeled zone.
      # zoneadm -z zone-name boot
    5. In the global zone, verify that the labeled zone has a route to the gateway for the subnet.
      # netstat -rn

      A routing table is displayed. The destination and interface for the labeled zone is different from the entry for the global zone.

  9. To remove the default route, select the zone's IP address, then remove the route.
    # zonecfg -z zone-name

zonecfg:zone-name > select net address=zone-IP-address
zonecfg:zone-name:net> remove net defrouter=zone-default-route
zonecfg:zone-name:net>  info net
net:
   address: zone-IP-address
   physical: zone-network-interface
   defrouter not specified

Example 4-4 Setting a Default Route for a Labeled Zone

In this example, the administrator routes the Secret zone to a separate physical subnet. Traffic to and from the Secret zone is not routed through the global zone. The administrator uses the Labeled Zone Manager and the zonecfg command, then verifies that routing works.

The administrator determines that igb1 and igb1:0 are not currently in use, and creates a mapping for two labeled zones. igb1 is the designated interface for the Secret zone.

Interface IP Address    Netmask        Default Router
igb1     192.168.2.22 255.255.255.0 192.168.2.2
igb1:0   192.168.3.33 255.255.255.0 192.168.3.3

First, the administrator creates the igb1 interface. The ipadm command shows that the interface is plumbed but not up.

# ipadm create-if igb1
# ipadm show-if
IFNAME        STATE       CURRENT      PERSISTENT
igb1          disabled    -m-v----46      ---
all-zones     ok          -m-v----46      ---

Then, the administrator creates a security template with a single label, Secret, and assigns the IP address of the interface to the template.

The administrator halts the zone.

# zoneadm -z secret halt

The administrator runs the txzonemgr script to open the Labeled Zone Manager.

# /usr/sbin/txzonemgr

In the Labeled Zone Manager, the administrator selects the Secret zone, selects Add Network, and then selects a network interface. The administrator closes the Labeled Zone Manager.

On the command line, the administrator selects the zone's IP address, then sets its default route. Before exiting the command, the administrator verifies the route and commits it.

# zonecfg -z secret
zonecfg: secret > select net address=192.168.6.22 
zonecfg: secret:net> set defrouter=192.168.6.2 
zonecfg: secret:net> end 
zonecfg: secret > verify 
zonecfg: secret > commit 
zonecfg: secret > info net 
  net:
     address: 192.168.6.22
     physical: igb1
     defrouter: 192.168.6.2
zonecfg: secret > exit 
#

The administrator boots the zone.

# zoneadm -z secret boot

In a separate terminal window in the global zone, the administrator verifies the sending and receiving of packets.

# netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use  Interface 
-------------------- -------------------- ----- ----- ------- --------- 
default              192.168.5.15         UG        1    2664 igb0      
192.168.6.2          192.168.6.22         UG        1     240 igb1      
192.168.3.3          192.168.3.33         U         1     183 igb1:0    
127.0.0.1            127.0.0.1            UH        1     380 lo0       
...

Configure a Name Service Cache in Each Labeled Zone

This procedure enables you to separately configure a name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnetwork that runs at the label of the zone, and the subnetwork has its own name server for that label.

Note - This configuration does not satisfy the criteria for an evaluated configuration. In an evaluated configuration, the nscd daemon runs only in the global zone. Doors in each labeled zone connect the zone to the global nscd daemon.

Before You Begin

You are in the root role in the global zone. You have successfully completed Add a Network Interface to Route an Existing Labeled Zone.

This configuration requires that you have advanced networking skills.

  1. In the global zone, start the Labeled Zone Manager.
    # /usr/sbin/txzonemgr
  2. Select the Configure per-zone name service, and click OK.

    Note - This option is intended to be used once, during initial system configuration.

  3. Configure each zone's nscd service.

    For assistance, see the nscd(1M) and nscd.conf(4) man pages.

  4. Reboot the system.
  5. For every zone, verify the route and the name service daemon.
    1. In the Zone Console, list the nscd service.
      zone-name # svcs -x name-service-cache
svc:/system/name-service-cache:default (name service cache)
 State: online since October 10, 2010  10:10:10 AM PDT
   See: nscd(1M)
   See: /etc/svc/volatile/system-name-service-cache:default.log
Impact: None.
    2. Verify the route to the subnetwork.
      zone-name # netstat -rn
  6. To remove the zone-specific name service daemons, do the following in the global zone:
    1. Open the Labeled Zone Manager.
    2. Select Unconfigure per-zone name service, and click OK.

      This selection removes the nscd daemon in every labeled zone.

    3. Reboot the system.
Copyright © 1992, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next