Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

How to Isolate a Labeled File System in a Zone

Although access to sensitive data can be restricted to users and roles based on their clearances, a label policy does not prevent cleared users or roles from copying labeled data to unlabeled directories. One way to prevent such data loss is to enable Trusted Extensions. However, you can also use standard Oracle Solaris Zones to provide an additional layer of protection.

Before You Begin

You have enabled a label encodings file that includes the Confidential - Restricted label.

  1. Create a labeled file system.
    # zfs create -o multilevel=on -o encryption=on \
    -o mountpoint=/mountpoint rpool/mountpoint
    # chmod 777  /mountpoint
    # setlabel "Confidential - Restricted" /mountpoint
  2. Configure and install a zone to import /mountpoint.
    1. Make the zone a solaris zone and remove the network connection.
      # zonecfg -z zonename
      zonecfg> create -b
      zonecfg> set brand=solaris
      zonecfg> remove anet
    2. Authorize a user to log in to the zone.
      zonecfg> add admin
      zonecfg> set user=username
      zonecfg> set auths=login
      zonecfg> end

      When authorized users log in to the zone, their clearance is raised to the value specified in the zone's user_attr file.

    3. Mount the labeled file as a loopback file system with read-write permissions.
      zonecfg> add fs
      zonecfg> set dir=/mountpoint
      zonecfg> set special=/mountpoint
      zonecfg> set type=lofs
      zonecfg> add options rw
      zonecfg> end
      zonecfg> exit
    4. Install the zone.
      # zoneadm -z zonename install

    Although users might not be authorized to set individual file labels, all files in the imported file systems would be automatically labeled based on their containing directories. Also, although users cannot be prevented from copying files into unlabeled file systems, unlabeled data cannot leak outside the zone. The labeled data is available outside of the zone to users and roles with sufficient clearance.

  3. In the zone context, assign a higher clearance to the authorized user.
    # zlogin zonename
    # usermod -K clearance="specific-higher-clearance" username

    The user can now log in to the zone and run at the higher clearance. In the global zone, the user's clearance is the default.

    username@global$ pfbash ; plabel 
    default-user-clearance
  4. Log in as the user to the zone where the user has a higher clearance, open a profile shell. and confirm the higher clearance.
    username@global$ zlogin -l username zonename
    username@zonename$ pfbash ; plabel
    specific-higher-clearance
Example 16  Isolating Labeled File Systems in a Zone

This example describes how to create a labeled zone where authorized users can work on Confidential - Restricted files.

  1. The administrator creates a labeled file system that can contain files at different labels and a zone to mount it. In the mounting zone, the administrator authorizes users to log in, adds the labeled file system, and then installs the zone.

    # zfs create -o multilevel=on -o encryption=on -o mountpoint=/multi-r rpool/multi-r
    # chmod 777  /multi-r
    # setlabel "Confidential - Restricted" /multi-r
    # zonecfg -z restricted
    zonecfg> create -b
    zonecfg> set brand=solaris
    zonecfg> remove anet
    zonecfg> add admin
    zonecfg> set user=user1
    zonecfg> set auths=login
    zonecfg> end
    zonecfg> add fs
    zonecfg> set dir=/multi-r
    zonecfg> set special=/multi-r
    zonecfg> set type=lofs
    zonecfg> add options rw
    zonecfg> end
    zonecfg> exit
    # zoneadm -z restricted install
  2. The administrator assigns the user a higher clearance in the zone context.

    # zlogin restricted
    # usermod -K clearance="Confidential - Restricted" user1
  3. The administrator tests the user's clearance in the zone context.

    user1@global$ pfbash ; plabel
    Confidential - Internal
    user1@global$ zlogin -l user1 restricted
    user1@restricted$ pfbash ; plabel
    Confidential -  Restricted

    User user1 has a higher clearance in the restricted zone.

  4. After halting the zone, the administrator gives other trusted users access to the restricted zone, then boots the zone.

    # zoneadm -z restricted shutdown
    # zonecfg -z restricted
    zonecfg> set admin
    zonecfg> set user=user2
    zonecfg> set auths=login
    zonecfg> set user=user3
    zonecfg> set auths=login
    zonecfg> commit
    zonecfg> end
    zonecfg> exit
    # zoneadm -z restricted boot