1. Creating and Using Oracle Solaris Zones
  2. Configuring and Administering Immutable Zones
  3. Configuring Immutable Zones
  4. Setting the MWAC Security Policy

Setting the MWAC Security Policy

By default, the file-mac-profile property is not set and the zone has a writable root dataset.

Several values for file-mac-profile restrict access to all or part of the runtime environment from inside the zone. All of the profiles except none will cause the /var/pkg directory and its contents to be read-only from inside the zone. The none MWAC security policy is equivalent to an unset MWAC security policy.

The following MWAC values restrict access to all or part of the runtime environment from inside the zone:

dynamic-zones

Is valid for global zones, including the global zone of a kernel zone. Permits the creation and the destroying of kernel zones and non-global zones.

Is equivalent to fixed-configuration, but adds the ability to create and destroy kernel zones and non-global zones.

Is similar to flexible-configuration, but dynamic-zones cannot write to files in the /etc directory.

fixed-configuration

Permits updates to /var/* directories, with the exception of directories that contain system configuration components.

  • IPS packages, including new packages, cannot be installed.

  • Persistently enabled SMF services are fixed.

  • SMF manifests cannot be added from the default locations.

  • Logging and auditing configuration files can be local. syslog and audit configuration are fixed.

flexible-configuration

Permits modification of files in /etc/ * directories, changes to root's home directory, and updates to /var/ * directories. This configuration provides the closest functionality to the Oracle Solaris 10 native sparse root zone documented in the Oracle Solaris 10 guide, System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.

  • IPS packages, including new packages, cannot be installed.

  • Persistently enabled SMF services are fixed.

  • SMF manifests cannot be added from the default locations.

  • Logging and auditing configuration files can be local. syslog and audit configuration can be changed.

strict

Read-only file system, no exceptions.

  • IPS packages cannot be installed.

  • Persistently enabled SMF services are fixed.

  • SMF manifests cannot be added from the default locations.

  • Logging and auditing configuration files are fixed. Data can only be logged remotely.

  • Running an NFS server inside an immutable zone with this profile is not supported. You must use the fixed-configuration profile to run an NFS server.

Example 11-1 Setting the MWAC Security Policy for the Global Zone

In this example, you are assigned the Zone Security rights profile and create an immutable global zone. In this zone, the zone administrator can create and destroy kernel and non-global zones. Otherwise, the zone is immutable.

global$ zonecfg -z global set file-mac-profile=dynamic-zones

After the MWAC security policy is set and you reboot the immutable zone, the zone boots transient read-write until it reaches the self-assembly-complete milestone and then reboots in read-only mode.