| 
 | |||||||||||||||||||||||||
| Part I Initial Configuration of Trusted Extensions 1. Security Planning for Trusted Extensions 2. Configuration Roadmap for Trusted Extensions 3. Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks) 4. Configuring Trusted Extensions (Tasks) 5. Configuring LDAP for Trusted Extensions (Tasks) 6. Configuring a Headless System With Trusted Extensions (Tasks) Part II Administration of Trusted Extensions 7. Trusted Extensions Administration Concepts 8. Trusted Extensions Administration Tools 9. Getting Started as a Trusted Extensions Administrator (Tasks) 10. Security Requirements on a Trusted Extensions System (Overview) 11. Administering Security Requirements in Trusted Extensions (Tasks) 12. Users, Rights, and Roles in Trusted Extensions (Overview) 13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks) 14. Remote Administration in Trusted Extensions (Tasks) 15. Trusted Extensions and LDAP (Overview) 16. Managing Zones in Trusted Extensions (Tasks) 17. Managing and Mounting Files in Trusted Extensions (Tasks) Sharing and Mounting Files in Trusted Extensions NFS Mounts in Trusted Extensions Sharing Files From a Labeled Zone Access to NFS Mounted Directories in Trusted Extensions Trusted Extensions Software and NFS Protocol Versions 18. Trusted Networking (Overview) 19. Managing Networks in Trusted Extensions (Tasks) 20. Multilevel Mail in Trusted Extensions (Overview) 21. Managing Labeled Printing (Tasks) 22. Devices in Trusted Extensions (Overview) 23. Managing Devices for Trusted Extensions (Tasks) 24. Trusted Extensions Auditing (Overview) 25. Software Management in Trusted Extensions (Tasks) Creating and Managing a Security Policy Site Security Policy and Trusted Extensions Computer Security Recommendations Physical Security Recommendations Personnel Security Recommendations Additional Security References B. Using CDE Actions to Install Zones in Trusted Extensions Associating Network Interfaces With Zones by Using CDE Actions (Task Map) Preparing to Create Zones by Using CDE Actions (Task Map) Creating Labeled Zones by Using CDE Actions (Task Map) C. Configuration Checklist for Trusted Extensions Checklist for Configuring Trusted Extensions D. Quick Reference to Trusted Extensions Administration Administrative Interfaces in Trusted Extensions Solaris Interfaces Extended by Trusted Extensions Tighter Security Defaults in Trusted Extensions Limited Options in Trusted Extensions E. List of Trusted Extensions Man Pages Trusted Extensions Man Pages in Alphabetical Order | Backing Up, Sharing, and Mounting Labeled Files (Task Map)The following task map describes common tasks that are used to back up and restore data from labeled file systems, and to share and mount directories and files that are labeled. 
 How to Back Up Files in Trusted Extensions
 How to Restore Files in Trusted Extensions
 How to Share Directories From a Labeled ZoneAs in the Solaris OS, the Mounts and Shares tool in the Solaris Management Console is used to share and mount files from the global zone. The tool cannot be used to mount or share directories that originate in labeled zones. Create a dfstab file at the label of the zone, and then restart the zone to share the labeled directories. Caution - Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user. Before You BeginYou must be superuser, or in the System Administrator role in the global zone on the file server. 
 Example 17-2 Sharing the /export/share Directory at the PUBLIC LabelFor applications that run at the label PUBLIC, the system administrator enables users to read the documentation in the /export/share directory of the public zone. The zone named public runs at the label PUBLIC. First, the administrator creates a public workspace and edits the dfstab file. # mkdir -p /zone/public/etc/dfs # /usr/dt/bin/trusted_edit /zone/public/etc/dfs/dfstab In the file, the administrator adds the following entry: ## Sharing PUBLIC user manuals share -F nfs -o ro /export/appdocs The administrator leaves the public workspace and returns to the Trusted Path workspace. Because users are not allowed to log in to this system, the administrator shares the files by putting the zone in the ready state: # zoneadm -z public ready Users can access the shared directories once the directories are mounted on the users' systems. How to NFS Mount Files in a Labeled ZoneIn Trusted Extensions, a labeled zone manages the mounting of files in its zone. Files from unlabeled and labeled hosts can be mounted on a Trusted Extensions labeled host. 
 Trusted Extensions uses the same mounting interfaces as the Solaris OS: 
 Before You BeginYou must be on the client system, in the zone at the label of the files that you want to mount. Unless you are using the automounter, you must be superuser, or be in the System Administrator role. To mount from lower-level servers, the zone must be configured with the net_mac_aware privilege. 
 Example 17-3 Mounting Files in a Labeled Zone by Using the mount CommandIn this example, the system administrator mounts a remote file system from a public zone. The public zone is on a multilevel server. After assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In that workspace, the administrator runs the mount command. # zonename public # mount -F nfs remote-sys:/zone/public/root/opt/docs /opt/docs A single-label file server at the label PUBLIC also contains documents to be mounted: # mount -F nfs public-sys:/publicdocs /opt/publicdocs When the public zone of the remote-sys file server is in the ready or running state, the remote-sys files successfully mount on this system. When the public-sys file server is running, the files successfully mount. Example 17-4 Mounting Files Read/Write in a Labeled Zone by Modifying the vfstab FileIn this example, the system administrator mounts two remote file systems at the label PUBLIC in the local system's public zone when the public zone boots. One file system mount is from a multilevel system, and one file system mount is from a single-label system. After assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In that workspace, the administrator modifies the vfstab file in that zone. ## Writable books directories at PUBLIC remote-sys:/zone/public/root/opt/docs - /opt/docs nfs no yes rw public-sys:/publicdocs - /opt/publicdocs nfs no yes rw To access the files in the remote labeled zone of the multilevel system, the vfstab entry uses the zone root path of the remote system's public zone, /zone/public/root, as the directory pathname to the directories to mount. The path to the single-label system is identical to the path that would be used on a Solaris system. In a terminal window at the label PUBLIC, the administrator mounts the files. # mountall Example 17-5 Mounting Lower-Level Files in a Labeled Zone by Modifying the vfstab FileIn this example, the system administrator mounts a remote file system from a public zone in the local system's internal zone. After assuming the System Administrator role, the administrator creates a workspace at the label INTERNAL, then modifies the vfstab file in that zone. ## Readable books directory at PUBLIC ## ro entry indicates that PUBLIC docs can never be mounted rw in internal zone remote-sys:/zone/public/root/opt/docs - /opt/docs nfs no yes ro To access the files in the remote labeled zone, the vfstab entry uses the zone root path of the remote system's public zone, /zone/public/root, as the directory pathname to the directories to mount. From the perspective of a user in the internal zone, the files can be accessed at /opt/docs. In a terminal window at the label INTERNAL, the administrator mounts the files. # mountall Example 17-6 Mounting Labeled Home Directories in a Network That Is Administered by Using LDAPIn this example, the system administrator enables a new user, ikuk, to access her home directory at every label. This site uses two home directory servers, and is administered by using LDAP. The second server contains the home directories for the users jdoe and pkai. The new user is added to this list. First, after assuming the System Administrator role, the administrator modifies the auto_home_zone-name files in the /etc directory of the global zone to include the new user on the second home directory server. ## auto_home_global file jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai ikuk homedir2-server:/export/home/ikuk * homedir-server:/export/home/& ## auto_home_internal file ## Mount the home directory from the internal zone of the NFS server jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai ikuk homedir2-server:/export/home/ikuk * homedir-server:/export/home/& ## auto_home_public ## Mount the home directory from the public zone of the NFS server jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai ikuk homedir2-server:/export/home/ikuk * homedir-server:/export/home/& Next, to enable the users to log in at all labels, the administrator repeats these edits for the auto_home_zone-name files at every label. Finally, after modifying every auto_home_zone-name file on this system, the administrator uses these files to add entries to the LDAP database. Similar to the Solaris OS, the +auto_home_public entry in the /etc/auto_home_zone-name files directs the automounter to the LDAP entries. The auto_home_zone-name files on other systems on the network are updated from the LDAP database. Example 17-7 Mounting a Lower-Level Home Directory on a System That Is Administered by Using FilesIn this example, the system administrator enables users to access their home directories at every label. The labels at the site are PUBLIC, INTERNAL, and NEEDTOKNOW. This site uses two home directory servers, and is administered by using files. The second server contains the home directories for the users jdoe and pkai. To accomplish this task, the system administrator defines the public zone NFS home directories in the public zone, and shares this configuration with the internal and needtoknow zones. First, after assuming the System Administrator role, the administrator creates a workspace at the label PUBLIC. In this workspace, the administrator creates a new file, /export/home/auto_home_public. This file contains all the customized per-user NFS specification entries. ## /export/home/auto_home_public file at PUBLIC label jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai * homedir-server:/export/home/& Second, the administrator modifies the /etc/auto_home_public file to point to this new file. ## /etc/auto_home_public file in the public zone ## Use /export/home/auto_home_public for the user entries ## +auto_home_public + /export/home/auto_home_public This entry directs the automounter to use the contents of the local file. Third, the administrator similarly modifies the /etc/auto_home_public file in the internal and needtoknow zones. The administrator uses the pathname to the public zone that is visible to the internal and needtoknow zones. ## /etc/auto_home_public file in the internal zone ## Use /zone/public/export/home/auto_home_public for PUBLIC user home dirs ## +auto_home_public + /zone/public/export/home/auto_home_public ## /etc/auto_home_public file in the needtoknow zone ## Use /zone/public/export/home/auto_home_public for PUBLIC user home dirs ## +auto_home_public + /zone/public/export/home/auto_home_public When the administrator adds the new user ikuk, the addition is made to the /export/home/auto_home_public file at the PUBLIC label. ## /export/home/auto_home_public file at PUBLIC label jdoe homedir2-server:/export/home/jdoe pkai homedir2-server:/export/home/pkai ikuk homedir2-server:/export/home/ikuk * homedir-server:/export/home/& The higher-level zones read down to obtain the per-user home directories from the lower-level public zone. How to Troubleshoot Mount Failures in Trusted ExtensionsBefore You BeginYou must be in the zone at the label of the files that you want to mount. You must be the superuser, or in the System Administrator role. 
 | ||||||||||||||||||||||||
| 
 |