1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. Further Hardening Labeled File Systems
  4. How to Isolate a Labeled File System in a Zone

How to Isolate a Labeled File System in a Zone

You have enabled a label encodings file that includes the Confidential - Restricted label.

Although access to sensitive data can be restricted to users and roles based on their clearances, a label policy does not prevent cleared users or roles from copying labeled data to unlabeled directories. One way to prevent such data loss is to enable Trusted Extensions. However, you can also use standard Oracle Solaris Zones to provide an additional layer of protection.

  1. Create a labeled file system.
    # zfs create -o multilevel=on -o encryption=on \
-o mountpoint=/mountpoint rpool/mountpoint
# chmod 777  /mountpoint
# setlabel "Confidential - Restricted" /mountpoint
  2. Configure and install a zone to import /mountpoint.
    1. Make the zone a solaris zone and remove the network connection.
      # zonecfg -z zonename
zonecfg> create -b
zonecfg> set brand=solaris
zonecfg> remove anet
    2. Authorize a user to log in to the zone.
      zonecfg> add admin
zonecfg> set user=username
zonecfg> set auths=login
zonecfg> end

      When authorized users log in to the zone, their clearance is raised to the value specified in the zone's user_attr file.

    3. Mount the labeled file as a loopback file system with read-write permissions.
      zonecfg> add fs
zonecfg> set dir=/mountpoint
zonecfg> set special=/mountpoint
zonecfg> set type=lofs
zonecfg> add options rw
zonecfg> end
zonecfg> exit
    4. Install the zone.
      # zoneadm -z zonename install

    Although users might not be authorized to set individual file labels, all files in the imported file systems would be automatically labeled based on their containing directories. Also, although users cannot be prevented from copying files into unlabeled file systems, unlabeled data cannot leak outside the zone. The labeled data is available outside of the zone to users and roles with sufficient clearance.

  3. In the zone context, assign a higher clearance to the authorized user.
    # zlogin zonename
# usermod -K clearance="specific-higher-clearance" username

    The user can now log in to the zone and run at the higher clearance. In the global zone, the user's clearance is the default.

    username@global$ pfbash ; plabel
default-user-clearance
  4. Log in as the user to the zone where the user has a higher clearance, open a profile shell. and confirm the higher clearance.
    username@global$ zlogin -l username
zonename
username@zonename$ pfbash ; plabel
specific-higher-clearance

Example 3-3 Isolating Labeled File Systems in a Zone

This example describes how to create a labeled zone where authorized users can work on Confidential - Restricted files.

  1. The administrator creates a labeled file system that can contain files at different labels and a zone to mount it. In the mounting zone, the administrator authorizes users to log in, adds the labeled file system, and then installs the zone.

    # zfs create -o multilevel=on -o encryption=on -o mountpoint=/multi-r rpool/multi-r
# chmod 777  /multi-r
# setlabel "Confidential - Restricted" /multi-r
    # zonecfg -z restricted
zonecfg> create -b
zonecfg> set brand=solaris
zonecfg> remove anet
zonecfg> add admin
zonecfg> set user=user1
zonecfg> set auths=login
zonecfg> end
zonecfg> add fs
zonecfg> set dir=/multi-r
zonecfg> set special=/multi-r
zonecfg> set type=lofs
zonecfg> add options rw
zonecfg> end
zonecfg> exit
# zoneadm -z restricted install

  2. The administrator assigns the user a higher clearance in the zone context.

    # zlogin restricted
# usermod -K clearance="Confidential - Restricted" user1

  3. The administrator tests the user's clearance in the zone context.

    user1@global$ pfbash ; plabel
Confidential - Internal
user1@global$ zlogin -l user1 restricted
user1@restricted$ pfbash ; plabel
Confidential -  Restricted

    User user1 has a higher clearance in the restricted zone.

  4. After halting the zone, the administrator gives other trusted users access to the restricted zone, then boots the zone. 

    # zoneadm -z restricted shutdown
# zonecfg -z restricted
zonecfg> set admin
zonecfg> set user=user2
zonecfg> set auths=login
zonecfg> set user=user3
zonecfg> set auths=login
zonecfg> commit
zonecfg> end
zonecfg> exit
# zoneadm -z restricted boot