By default, the zonecfg file-mac-profile property is not set in a non-global zone. A zone is configured to have a writable root dataset.
In a solaris read-only zone, the file-mac-profile property is used to configure a read-only zone root. A read-only root restricts access to the runtime environment from inside the zone.
Through the zonecfg utility, the file-mac-profile can be set to one of the following values. All of the profiles except none will cause the /var/pkg directory and its contents to be read-only from inside the zone.
Standard, read-write, non-global zone, with no additional protection beyond the existing zones boundaries. Setting the value to none is equivalent to not setting file-mac-profile property.
Read-only file system, no exceptions.
IPS packages cannot be installed.
Persistently enabled SMF services are fixed.
SMF manifests cannot be added from the default locations.
Logging and auditing configuration files are fixed. Data can only be logged remotely.
Permits updates to /var/* directories, with the exception of directories that contain system configuration components.
IPS packages, including new packages, cannot be installed.
Persistently enabled SMF services are fixed.
SMF manifests cannot be added from the default locations.
Logging and auditing configuration files can be local. syslog and audit configuration are fixed.
Permits modification of files in /etc/* directories, changes to root's home directory, and updates to /var/* directories. This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone documented in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones . This is the Oracle Solaris 10 version of the guide.
IPS packages, including new packages, cannot be installed.
Persistently enabled SMF services are fixed.
SMF manifests cannot be added from the default locations.
Logging and auditing configuration files can be local. syslog and audit configuration can be changed.