1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. Configuring Labels on an Oracle Solaris System
  4. Initially Configuring Labels in Oracle Solaris
  5. How to Assign a Label to a File System

How to Assign a Label to a File System

Create an encodings file. You must have logged out and logged back in. You also must be a user who can assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

To create a labeled file system, you enable the multilevel ZFS property. This action can be performed at any time during the lifetime of a ZFS dataset.

  1. Verify that your label policy is in effect.
    $ labelcfg list
list-of-labels
$ labelcfg info clearance
clearance
$ plabel
clearance

    The clearance value returned by these two commands should be identical. If the values differ, you did not commit the value of clearance when you edited the encodings file or you have not logged out and logged back in.

  2. Assume the root role.
    $ su - root
Password: 
#
  3. Modify or create the ZFS datasets that will contain sensitive, labeled files.

    • To modify an existing file system and set a label on the mount point:

      # zfs set -o multilevel=on -o rpool/existing-fs
# setlabel "label" /existing-fs-mountpoint

      For example, to label the /export/home directory: 

      # zfs set -o multilevel=on -o rpool/export/home
# setlabel "Conf - Internal Use Only" /export/home

    • To create a labeled file system, mount it, and set a label on the mount point:

      Tip:

      For additional protection, encrypt every new multilevel file system. 
      # zfs create -o multilevel=on -o encryption=on rpool/labeled-fs
# zfs set =/mountpoint rpool/labeled-fs
# setlabel "label" /mountpoint

      For example, you could label a directory that contains files for company-wide distribution.

      # zfs create -o multilevel=on -o encryption=on rpool/ftp-files
# zfs set =/ftpsource rpool/ftp-files
# setlabel "Conf - Internal Use Only" /ftpsource
  4. Verify that the file system is labeled.

    # getlabel /mountpoint
label
  5. Share the file system over NFS as a labeled file system.

    If you do not share a labeled file system with the share.nfs.labeled=on option, the files whose labels are higher than ADMIN_LOW cannot be accessed.

    Tip:

    To minimize the risk of identity spoofing, specify an NFS security option with the labeled option. See the nfssec(7) man page. 
    # zfs share -o nfs=on -o share.nfs.labeled=on -o share.nfs.sec=krb5 rpool/labeled-fs
  6. View the upper bound of the file system.

    The value of the mlslabel property is the upper bound of the file system and cannot be lowered. 

    # zfs get mlslabel
NAME                              PROPERTY  VALUE                 SOURCE
...
rpool/VARSHARE/zones              mlslabel  none                       -
rpool/dump                        mlslabel  -                          -
rpool/export                      mlslabel  none                       -
rpool/export/home                 mlslabel  Conf - Internal Use Only   -

    If higher-labeled files are added, the upper bound is raised to the label of the higher files. A labeled file system retains its label even if all labeled files are reset or removed.

  7. Assign clearances that are higher than the default clearance to trusted users and trusted roles.
    # usermod -K clearance="higher-than-default-clearance" trusted-user1
# rolemod -K clearance="higher-than-default-clearance" trusted-role1

    Tip:

    To enable a user to run a command at a clearance higher than the user's assigned clearance, see Enabling Access to Labeled Files in Securing Users and Processes in Oracle Solaris 11.4 and How to Assign Clearances to Users in Securing Users and Processes in Oracle Solaris 11.4.
  8. Assign clearances that are lower than the default clearance to guest users.

    # usermod -K clearance=Public guest
  9. Configure the auditing of sensitive files by enabling the labeled-only audit policy, then set the appropriate audit flags.

    This policy enables you to audit file-read events and set the audit flags for labeled files.

    # auditconfig -setpolicy +labeled-only
# auditconfig -setflags fr,fw,fm,dc,fd,ex,lo

    When you enable the fr audit class when the labeled-only policy is in effect, only labeled files are audited for file read. Regular files are not.

Example 3-1 Finding Files of a Specified Label

The following script finds all files of a specified label.

#!/bin/sh
# Find all files whose label matches $1

zfs list -Ho multilevel,mounted,mountpoint -t filesystem -r rpool|\
while read multilevel mounted mountpt;do
	if [ $multilevel == on -a $mounted == yes ];then
		for file in $(find $mountpt -print); do
			label=$(getlabel $file 2>/dev/null|cut -d: -f2|\
			    grep -i "$1" 2>/dev/null)
			if [[ -n $label ]]; then
				echo $file
				echo '\t'$label
			fi
		done
	fi
done