Setting the MWAC Security Policy
By default, the file-mac-profile
property is not set and the zone has a
writable root dataset.
Several values for file-mac-profile
restrict access to all or part of the
runtime environment from inside the zone. All of the profiles except none
will
cause the /var/pkg
directory and its contents to be read-only from inside the
zone. The none
MWAC security policy is equivalent to an unset MWAC security
policy.
The following MWAC values restrict access to all or part of the runtime environment from inside the zone:
-
dynamic-zones
-
Is valid for global zones, including the global zone of a kernel zone. Permits the creation and the destroying of kernel zones and non-global zones.
Is equivalent to
fixed-configuration
, but adds the ability to create and destroy kernel zones and non-global zones.Is similar to
flexible-configuration
, butdynamic-zones
cannot write to files in the/etc
directory. -
fixed-configuration
-
Permits updates to
/var/*
directories, with the exception of directories that contain system configuration components.-
IPS packages, including new packages, cannot be installed.
-
Persistently enabled SMF services are fixed.
-
SMF manifests cannot be added from the default locations.
-
Logging and auditing configuration files can be local.
syslog
and audit configuration are fixed.
-
-
flexible-configuration
-
Permits modification of files in
/etc/
* directories, changes to root's home directory, and updates to/var/
* directories. This configuration provides the closest functionality to the Oracle Solaris 10native
sparse root zone documented in the Oracle Solaris 10 guide, System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.-
IPS packages, including new packages, cannot be installed.
-
Persistently enabled SMF services are fixed.
-
SMF manifests cannot be added from the default locations.
-
Logging and auditing configuration files can be local.
syslog
and audit configuration can be changed.
-
-
strict
-
Read-only file system, no exceptions.
-
IPS packages cannot be installed.
-
Persistently enabled SMF services are fixed.
-
SMF manifests cannot be added from the default locations.
-
Logging and auditing configuration files are fixed. Data can only be logged remotely.
-
Running an NFS server inside an immutable zone with this profile is not supported. You must use the
fixed-configuration
profile to run an NFS server.
-
Example 11-1 Setting the MWAC Security Policy for the Global Zone
In this example, you are assigned the Zone Security rights profile and create an immutable global zone. In this zone, the zone administrator can create and destroy kernel and non-global zones. Otherwise, the zone is immutable.
global$ zonecfg -z global set file-mac-profile=dynamic-zones
After the MWAC security policy is set and you reboot the immutable zone, the zone boots
transient read-write until it reaches the self-assembly-complete
milestone and
then reboots in read-only mode.