Trusted Extensions Configuration and Administration

Exit Print View

Updated: July 2014

Planning Your Labeled Zones in Trusted Extensions

Trusted Extensions software is added to Oracle Solaris in the global zone. You then configure non-global zones that are labeled. You can create one or more labeled zones for every unique label, though you do not need to create a zone for every label in your label_encodings file. A provided script enables you to easily create two labeled zones for the default user label and the default user clearance in your label_encodings file.

    After labeled zones are created, regular users can use the configured system, but these users cannot reach other systems. To further isolate services that run at the same label, you can create secondary zones. For more information, see Primary and Secondary Labeled Zones.

  • In Trusted Extensions, the local transport to connect to the X server is UNIX domain sockets. By default, the X server does not listen for TCP connections.

  • By default, non-global zones cannot communicate with untrusted hosts. You must specify the explicit remote host IP addresses or network masks that can be reached by each zone.

Trusted Extensions Zones and Oracle Solaris Zones

Trusted Extensions zones, that is, labeled zones, are a brand of Oracle Solaris Zones. Labeled zones are primarily used to segregate data. In Trusted Extensions, regular users cannot remotely log in to a labeled zone except from an equally labeled zone on another trusted system. Authorized administrators can access a labeled zone from the global zone. For more about zone brands, see the brands (5) man page.

Zone Creation in Trusted Extensions

Zone creation in Trusted Extensions is similar to zone creation in Oracle Solaris. Trusted Extensions provides the txzonemgr script to step you through the process. The script has several command line options to automate the creation of labeled zones. For more information, see the txzonemgr (1M) man page.

Access to Labeled Zones

    On a properly configured system, every zone must be able to use a network address to communicate with other zones that share the same label. The following configurations provide labeled zone access to other labeled zones:

  • all-zones interface – One all-zones address is assigned. In this default configuration, only one IP address is required. Every zone, global and labeled, can communicate with identically labeled zones on remote systems over this shared address.

    A refinement of this configuration is to create a second IP instance for the global zone to use exclusively. This second instance would not be an all-zones address. The IP instance could be used to host a multilevel service or to provide a route to a private subnet.

  • IP instances – As in the Oracle Solaris OS, one IP address is assigned to every zone, including the global zone. The zones share the IP stack. In the simplest case, all zones share the same physical interface.

    A refinement of this configuration is to assign a separate network information card (NIC) to each zone. Such a configuration is used to physically separate the single-label networks that are associated with each NIC.

    A further refinement is to use one or more all-zones interfaces in addition to an IP instance per zone. This configuration provides the option of using internal interfaces, such as vni0, to reach the global zone, thus protecting the global zone from remote attack. For example, a privileged service that binds a multilevel port on an instance of vni0 in the global zone can only be reached internally by zones that use the shared stack.

  • Exclusive IP stack – As in Oracle Solaris, one IP address is assigned to every zone, including the global zone. A virtual network interface card (VNIC) is created for each labeled zone.

    A refinement of this configuration is to create each VNIC over a separate network interface. Such a configuration is used to physically separate the single-label networks that are associated with each NIC. Zones that are configured with an exclusive IP stack cannot use the all-zones interface.

Applications That Are Restricted to a Labeled Zone

By default, labeled zones share the global zone's name service, and have read-only copies of the global zone's configuration files, including the /etc/passwd and /etc/shadow files. If you plan to install applications in a labeled zone from the labeled zone, and the package adds users to the zone, you will need writable copies of these files in the zone.

Packages such as pkg:/service/network/ftp create user accounts. To install this package by running the pkg command inside a labeled zone requires that a separate nscd daemon be running in the zone, and that the zone be assigned an exclusive IP address. For more information, see How to Configure a Separate Name Service for Each Labeled Zone.