About Immutable Zones

An immutable zone is a zone with a read-only root file system. The zone can be non-global or global. The read-only root preserves the zone's configuration. Also, additional restrictions to the runtime environment extend the zone's secure runtime boundary. Maintenance operations are possible, but you as administrator must take deliberate steps to access the zone for maintenance. The mandatory write access control (MWAC) security policy blocks modifications to system binaries or system configurations.

MWAC is used to enforce file system write privilege through an SMF property, file-mac-profile. You can specify the MWAC security policy by modifying the file-mac-profile value with the zonecfg command. The policy is enforced in the kernel. Because the global zone is not subject to the MWAC policy of a non-global zone, the global zone can write to a non-global zone's file system for installation, image updates, and maintenance.

The MWAC policy is downloaded when the zone enters the ready state. The policy is enabled at zone boot. To perform post-install assembly and configuration, a temporary writable root-file system boot sequence is used. Modifications to the zone's MWAC configuration only take effect when you reboot the zone.