1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. Further Hardening Labeled File Systems
  4. How to Enforce a Fixed Configuration for a Labeled File System

How to Enforce a Fixed Configuration for a Labeled File System

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

This procedure helps prevent malicious or inadvertent modification of the system configuration.

  1. Add the labeled file system to the global zone, then make the global zone immutable.
    # zonecfg -z global
zonecfg:global> add dataset
zonecfg:global:dataset> set name=rpool/labeled-fs
zonecfg:global:dataset> end
zonecfg:global> set file-mac-profile=fixed-configuration
zonecfg:global> exit

    The fixed configuration also prevents modifications to the SMF method and sysconfig group properties. The client process must be running at the ADMIN_HIGH clearance or using the Trusted Path to modify the configuration. Also, access to the kernel by using the mdb -k command requires an ADMIN_HIGH process. The mdb -K command can succeed only by using the Trusted Path. For more information, see the mdb(1) man page. For information about Trusted Path and zone configuration, see Administering an Immutable Zone by Using the Trusted Path Domain in Creating and Using Oracle Solaris Zones, and the zlogin(1) and zonecfg(8) man pages.

  2. To further protect the kernel, enable verified boot by using the Oracle Integrated Lights Out Manager (ILOM).

    For kernel zones, use the zonecfg command. For more information about verified boot, see Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.4.

Example 3-2 Making an Immutable Global Zone That Contains a Labeled File System Immutable

In this example, the administrator specifies that three labeled file systems on a system cannot be reconfigured except through the Trusted Path.

# zonecfg -z global
zonecfg:global> add dataset
zonecfg:global:dataset> set name=rpool/Internal
zonecfg:global:dataset> set name=rpool/Restricted
zonecfg:global:dataset> set name=rpool/HighlyRestricted
zonecfg:global:dataset> end
zonecfg:global> set file-mac-profile=fixed-configuration
zonecfg:global> exit