JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions (Tasks)

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions (Tasks)

14.  Managing and Mounting Files in Trusted Extensions (Tasks)

Sharing and Mounting Files in Trusted Extensions

NFS Mounts in Trusted Extensions

Sharing Files From a Labeled Zone

Access to NFS Mounted File Systems in Trusted Extensions

Home Directory Creation in Trusted Extensions

Changes to the Automounter in Trusted Extensions

Trusted Extensions Software and NFS Protocol Versions

Mounting Labeled ZFS Datasets

Backing Up, Sharing, and Mounting Labeled Files (Task Map)

How to Back Up Files in Trusted Extensions

How to Restore Files in Trusted Extensions

How to Share File Systems From a Labeled Zone

How to NFS Mount Files in a Labeled Zone

How to Troubleshoot Mount Failures in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



NFS Mounts in Trusted Extensions

NFS mounts in Trusted Extensions are similar to Oracle Solaris mounts. The differences occur in the enforcement of MAC policy. Also, the txzonemgr script assumes that home directories are mounted as /export/home.

NFS shares in Trusted Extensions are similar to Oracle Solaris shares in a global zone. However, the sharing of a labeled zone on a multilevel system is unique to Trusted Extensions:

Labels affect which files can be mounted. Files are shared and mounted at a particular label.

Labels also affect which directories and files can be viewed. By default, lower-level objects are available in a user's environment. Therefore, in the default configuration, a regular user can view files that are in a zone at a lower level than the user's current level. For example, users can see their lower-level home directories from a higher label. For details, see Home Directory Creation in Trusted Extensions.

If site security forbids the viewing of lower-level objects, you can hide lower-level file systems from the user. For details, see How to Disable the Mounting of Lower-Level Files.

The mount policy in Trusted Extensions has no MAC overrides. Mounted files that are visible at a lower label can never be modified by a higher-label process. This MAC policy is also in effect in the global zone. A global zone ADMIN_HIGH process cannot modify an NFS-mounted file at a lower label, such as a PUBLIC file or an ADMIN_LOW file. MAC policies enforce the default configuration and are invisible to regular users. Regular users cannot see objects unless they have MAC access to them.