In Trusted Extensions, shared files can ease administration, and provide efficiency and speed. MAC is always in force.
Share single-level datasets from a labeled zone, over NFS – As in Oracle Solaris, shared directories ease administration. For example, you can install the man pages for Oracle Solaris on one system, and share the man page directory with other systems.
Share multilevel datasets from the global zone, over LOFS – LOFS-mounted datasets provide efficiency and speed when moving files from one label to another. Files are moved within the dataset, so no i/o operations are used.
Share multilevel datasets from the global zone, over NFS – An NFS server can share a multilevel dataset that contains files at many labels to many clients. Such a configuration eases administration and provides a single location for file distribution. You do not require a server at a particular label to serve clients at that label.
Mounting files in the global zone is identical to mounting files in Oracle Solaris, subject to MAC policy. Files that are shared from the global zone are shared at the label of the file. Therefore, file systems from a global zone are not usefully shared with the global zones of other Trusted Extensions systems, because all files are shared at the label ADMIN_LOW. The files that the global zone usefully shares with other systems are multilevel datasets.
Files and directories in a single-level dataset that are shared over LOFS from the global zone are shared at ADMIN_LOW. For example, the /etc/passwd and /etc/shadow files from the global zone can be LOFS mounted in the labeled zones on the system. Because the files are ADMIN_LOW, they are visible and read-only in the labeled zones. Files and directories in multilevel datasets are shared at the label of the object.
The global zone can also share multilevel datasets over NFS. A client can request to mount the dataset when the NFS service is configured to use multilevel ports. The request succeeds when the client label is within the label range that is specified in the cipso template for the network interface that handles the client's NFS mount request.
Specifically, the behavior of global zones and mounted files is the following:
In the global zone on Trusted Extensions clients, everything in the share is readable, and the clients can write at ADMIN_HIGH, just as the local global zone processes can.
When the client is a labeled zone, the mounted files are read-write when the label of the zone matches the label of the shared file.
When the client is an unlabeled system, the mounted files are read-write when the assigned label of the client matches the label of the shared file.
To share multilevel datasets with labeled zones on the same system, the global zone can use LOFS.
For more information about the viewing and relabeling of files on an NFS mount, see Mounting Multilevel Datasets From Another System.
A labeled zone can share its files with other systems at the label of the zone. Therefore, file systems from a labeled zone can be shared with zones at the same label on other Trusted Extensions systems, and with untrusted systems that are assigned the same label as the zone. For information about the ZFS property that mediates these mounts, see mlslabel Property and Mounting Single-Level File Systems.
LOFS mounts from the global zone in a labeled zone are read-only for single-level datasets. For multilevel datasets, MAC policy is enforced per file and directory label, as described in No Privilege Overrides for MAC Read-Write Policy.
ZFS provides a security label property, mlslabel, that contains the label of the data in the dataset. The mlslabel property is inheritable. When a ZFS dataset has an explicit label, the dataset cannot be mounted on an Oracle Solaris system that is not configured with Trusted Extensions.
If the mlslabel property is undefined, it defaults to the string none, which indicates no label.
When you mount a ZFS dataset in a labeled zone, the following occurs:
If the dataset is not labeled, that is, the mlslabel property is undefined, the value of the mlslabel property is changed to the label of the mounting zone.
For the global zone, the mlslabel property is not set automatically. If you explicitly label the dataset admin_low, the dataset must be mounted read-only.
If the dataset is labeled, the kernel verifies that the dataset label matches the label of the mounting zone. If the labels do not match, the mount fails, unless the zone allows read-down mounts. If the zone allows read-down mounts, a lower-level file system mounts read-only.
To set the mlslabel property from the command line, use syntax similar to the following:
# zfs set mlslabel=public export/publicinfo
The file_upgrade_sl privilege is required to set an initial label or to change a non-default label to a higher-level label. The file_downgrade_sl privilege is required to remove a label, that is, to set the label to none. This privilege is also required to change a non-default label to a lower-level label.