This appendix covers how to configure labeled zones in Solaris Trusted Extensions by using Trusted CDE actions. If you are running the Solaris 10 11/06 release without patches, or if you are familiar with these actions, use the Trusted CDE actions. To use the txzonemgr script, see Creating Labeled Zones.Associating Network Interfaces With Zones by Using CDE Actions (Task Map) Preparing to Create Zones by Using CDE Actions (Task Map) Creating Labeled Zones by Using CDE Actions (Task Map) Do only one of the following tasks. For the trade-offs, see Planning for Multilevel Access.Task Description For Instructions Share a logical interface. Map the global zone to one IP address, and map the labeled zones to a different IP address. Specify Two IP Addresses for the System by Using a CDE Action Share a physical interface. Map all zones to one IP address. Specify One IP Address for the System by Using a CDE Action In this configuration, the host's address applies only to the global zone. Labeled zones share a second IP address with the global zone. You are superuser in the global zone. The system has already been assigned two IP addresses. You are in a Trusted CDE workspace. Navigate to the Trusted_Extensions folder.Click mouse button 3 on the background. From the Workspace menu, choose Applications → Application Manager. Double-click the Trusted_Extensions folder icon.This folder contains actions that set up interfaces, LDAP clients, and labeled zones. Double-click the Share Logical Interface action and answer the prompts.The system must already have been assigned two IP addresses. For this action, provide the second address and a host name for that address. The second address is the shared address. Hostname: Type the name for your labeled zones interface IP Address: Type the IP address for the interfaceThis action configures a host with more than one IP address. The IP address for the global zone is the name of the host. The IP address for a labeled zone has a different host name. In addition, the IP address for the labeled zones is shared with the global zone. When this configuration is used, labeled zones are able to reach a network printer.Use a standard naming convention for labeled zones. For example, add -zones to the host name. In a terminal window, verify the results of the action.# ifconfig -aFor example, the following output shows a shared logical interface, hme0:3 on network interface 192.168.0.12 for the labeled zones. The hme0 interface is the unique IP address of the global zone. lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 ether 0:0:00:00:00:0 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255 hme0:3 flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 all-zones inet 192.168.0.12 netmask fffffe00 broadcast 192.168.0.255 In this configuration, the host's address applies to all the zones, including the labeled zones. You are superuser in the global zone. You are in a Trusted CDE workspace. Navigate to the Trusted_Extensions folder.Click mouse button 3 on the background. From the Workspace menu, choose Applications → Application Manager. Double-click the Trusted_Extensions folder icon.This folder contains actions that set up interfaces, LDAP clients, and labeled zones. Double-click the Share Physical Interface action.This action configures a host with one IP address. The global zone does not have a unique address. This system cannot be used as a multilevel print server or NFS server. In a terminal window, verify the results of the action.# ifconfig -aThe Share Physical Interface action configures all zones to have logical NICs. These logical NICs share a single physical NIC in the global zone.For example, the following output shows the shared physical interface, hme0 on network interface 192.168.0.11 for all the zones.lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 ether 0:0:00:00:00:0 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 all-zones inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255 The following task map describes the tasks for preparing the system for zone creation. For a discussion of zone creation methods, see Planning for Zones in Trusted Extensions.Task Description For Instructions 1. Name each zone, and link the zone name to the zone label. Name each labeled zone with a version of its label, then associate the name with the label in the Solaris Management Console. Specify Zone Names and Zone Labels by Using a CDE Action 2. Configure the network before creating the zones. Assign a label to the network interface on every host, and do further configuration. Configuring Trusted Network Databases (Task Map) in Solaris Trusted Extensions Administrator’s Procedures You do not have to create a zone for every label in your label_encodings file, but you can. The tnzonecfg database enumerates the labels that can have zones created for them on this system. Navigate to the Trusted_Extensions folder.Click mouse button 3 on the background. From the Workspace menu, choose Applications → Application Manager. Double-click the Trusted_Extensions folder icon. For every zone, name the zone. Double-click the Configure Zone action. At the prompt, provide a name.Give the zone a similar name to the zone's label. For example, the name of a zone whose label is CONFIDENTIAL : INTERNAL USE ONLY would be internal. Repeat the Configure Zone action for every zone.For example, the default label_encodings file contains the following labels:PUBLIC CONFIDENTIAL: INTERNAL USE ONLY CONFIDENTIAL: NEED TO KNOW CONFIDENTIAL: RESTRICTED SANDBOX: PLAYGROUND MAX LABELAlthough you could run the Configure Zone action six times to create one zone per label, consider creating the following zones:On a system for all users, create one zone for the PUBLIC label and three zones for the CONFIDENTIAL labels. On a system for developers, create a zone for the SANDBOX: PLAYGROUND label. Because SANDBOX: PLAYGROUND is defined as a disjoint label for developers, only systems that developers use need a zone for this label. Do not create a zone for the MAX LABEL label, which is defined to be a clearance. Open the Trusted Network Zones tool.The tools in the Solaris Management Console are designed to prevent user error. These tools check for syntax errors and automatically run commands in the correct order to update databases.Start the Solaris Management Console.# /usr/sbin/smc & Open the Trusted Extensions toolbox for the local system.Choose Console → Open Toolbox. Select the toolbox that is named This Computer (this-host: Scope=Files, Policy=TSOL). Click Open. Under System Configuration, navigate to Computers and Networks.Provide a password when prompted. Double-click the Trusted Network Zones tool. For each zone, associate the appropriate label with a zone name.Choose Action → Add Zone Configuration.The dialog box displays the name of a zone that does not have an assigned label. Look at the zone name, then click Edit. In the Label Builder, click the appropriate label for the zone name.If you click the wrong label, click the label again to deselect it, then click the correct label. Save the assignment.Click OK in the Label Builder, then click OK in the Trusted Network Zones Properties dialog box. You are finished when every zone that you want is listed in the panel, or the Add Zone Configuration menu item opens a dialog box that does not have a value for Zone Name. If the Trusted Network Zones Properties dialog box does not prompt for a zone that you want to create, either the zone network configuration file does not exist, or you have already created the file.Check that the zone network configuration file does not already exist. Look in the panel for the name. If the file does not exist, run the Configure Zone action to supply the zone name. Then, repeat Step 5 to create the file. One zone can be created for every entry in the Trusted Network Zone Configuration database. You made the entries in Specify Zone Names and Zone Labels by Using a CDE Action, by running the Configure Zone action.The Trusted_Extensions folder in the Application Manager contains the following actions that create labeled zones:Configure Zone – Creates a zone configuration file for every zone name Install Zone – Adds the correct packages and file systems to the zone Zone Terminal Console – Provides a window for viewing events in a zone Initialize Zone for LDAP – Makes the zone an LDAP client and prepares the zone for booting Start Zone – Boots the zone, then starts all the service management framework (SMF) services Shut Down Zone – Changes the state of the zone from Started to Halted The tasks are completed in the following order.Task Description For Instructions 1. Install and boot one zone. Create the first labeled zone. Install the packages, make the zone an LDAP client, and start all services in the zone. Install, Initialize, and Boot a Labeled Zone by Using CDE Actions 2. Customize the zone. Remove unwanted services. If you plan to copy or clone the zone, remove zone-specific information. Customize a Booted Zone in Trusted Extensions 3. Create the other zones. Use one of the following methods to create the other zones. You chose the method in Make System and Security Decisions Before Installing Trusted Extensions. Create each zone from scratch. Install, Initialize, and Boot a Labeled Zone by Using CDE ActionsCustomize a Booted Zone in Trusted Extensions Copy the first labeled zone to another label. Repeat for all zones. Use the Copy Zone Method in Trusted Extensions Use a ZFS snapshot to clone the other zones from the first labeled zone. Use the Clone Zone Method in Trusted Extensions Because zone creation involves copying an entire operating system, the process is time-consuming. A faster process is to create one zone, make the zone a template for other zones, and then copy or clone that zone template. You have completed Specify Zone Names and Zone Labels by Using a CDE Action.If you are using LDAP as your naming service, you have completed Make the Global Zone an LDAP Client in Trusted Extensions.If you are going to clone zones, you have completed Create ZFS Pool for Cloning Zones. In the following procedure, you install the zone that you prepared. In the Trusted_Extensions folder, double-click the Install Zone action.Type the name of the zone that you are installing.This action creates a labeled virtual operating system. This step takes some time to finish. Do not do other tasks on the system while Install Zone is running.# zone-name: Install Zone Preparing to install zone <zone-name> Creating list of files to copy from the global zone Copying <total> files to the zone Initializing zone product registry Determining zone package initialization order. Preparing to initialize <subtotal> packages on the zone. Initializing package <number> of <subtotal>: percent complete: percent Initialized <subtotal> packages on zone. Zone <zone-name> is initialized. The file /zone/internal/root/var/sadm/system/logs/install_log contains a log of the zone installation. *** Select Close or Exit from the window menu to close this window *** Open a console to monitor events in the installed zone.Double-click the Zone Terminal Console action. Type the name of the zone that was just installed. Initialize the zone.If you are using LDAP, double-click the Initialize Zone for LDAP action.Zone name: Type the name of the installed zone Host name for the zone: Type the host name for this zoneFor example, on a system with a shared logical interface, the values would be similar to the following:Zone name: public Host name for the zone: machine1-zonesThis action makes the labeled zone an LDAP client of the same LDAP server that serves the global zone. The action is complete when the following information appears:zone-name zone will be LDAP client of IP-address zone-name is ready for booting Zone label is LABEL *** Select Close or Exit from the window menu to close this window *** If you are not using LDAP, initialize the zone manually by doing one of the following steps.The manual procedure in Trusted Extensions is identical to the procedure for the Solaris OS. If the system has at least one all-zones interface, then the hostname for all the zones must match the global zone's hostname. In general, the answers to the questions during zone initialization are the same as the answers for the global zone.Supply the host information by doing one of the following:After you start the zone in Step 3, answer the questions in the Zone Terminal Console about system characteristics.Your answers are used to populate the sysidcfg file in the zone. Place a custom sysidcfg file in the zone's /etc directory before booting the zone in Step 3. Double-click the Start Zone action.Answer the prompt.Zone name: Type the name of the zone that you are configuringThis action boots the zone, then starts all the services that run in the zone. For details about the services, see the smf5 man page.The Zone Terminal Console tracks the progress of booting the zone. Messages that are similar to the following appear in the console:[Connected to zone 'public' console] [NOTICE: Zone booting up] ... Hostname: zonename Loading smf(5) service descriptions: number/total Creating new rsa public/private host key pair Creating new dsa public/private host key pair rebooting system due to change(s) in /etc/default/init [NOTICE: Zone rebooting] Monitor the console output.Before continuing with Customize a Booted Zone in Trusted Extensions, make sure that the zone has rebooted. The following console login prompt indicates that the zone has rebooted.hostname console login: For Install Zone: If warnings that are similar to the following are displayed: Installation of these packages generated errors: SUNWpkgname, read the install log and finish installing the packages. If you are going to clone zones, this procedure configures a zone to be a template for other zones. In addition, this procedure configures the zone for use. Ensure that the zone has been completely started.In the zone-name: Zone Terminal Console, log in as root.hostname console login: root Password: Type root password Check that the zone is running.The status running indicates that at least one process is running in the zone.# zoneadm list -v ID NAME STATUS PATH 2 public running / Check that the zone can communicate with the global zone.The X server runs in the global zone. Each labeled zone must be able to connect with the global zone to use this service. Therefore, zone networking must work before the zone can be used. For assistance, see Labeled Zone Is Unable to Access the X Server. In the Zone Terminal Console, disable services that are unnecessary in a labeled zone.If you are copying or cloning this zone, the services that you disable are disabled in the new zones. The services that are online on your system depend on the service manifest for the zone. Use the netservices limited command to turn off services that labeled zones do not need.Remove many unnecessary services.# netservices limited List the remaining services.# svcs ... STATE STIME FMRI online 13:05:00 svc:/application/graphical-login/cde-login:default ... Disable graphical login.# svcadm disable svc:/application/graphical-login/cde-login # svcs cde-login STATE STIME FMRI disabled 13:06:22 svc:/application/graphical-login/cde-login:default For information about the service management framework, see the smf5 man page. Shut down the zone.Choose one of the following ways:Run the Shut Down Zone action.Provide the name of the zone. In a terminal window in the global zone, use the zlogin command.# zlogin zone-name init 0For more information, see the zlogin1 man page. Verify that the zone is shut down.In the zone-name: Zone Terminal Console, the following message indicates that the zone is shut down:[ NOTICE: Zone halted]If you are not copying or cloning this zone, create the remaining zones in the way that you created this first zone. If you are using this zone as a template for other zones, do the following:Remove the auto_home_zone-name file.In a terminal window in the global zone, remove this file from the zone-name zone.cd /zone/zone-name/root/etc # ls auto_home* auto_home auto_home_zone-name # rm auto_home_zone-nameFor example, if the public zone were the basis for cloning other zones, remove its auto_home file:# cd /zone/public/root/etc # rm auto_home_public If you are copying a zone, go to Use the Copy Zone Method in Trusted Extensions. If you are cloning a zone, go to Use the Clone Zone Method in Trusted Extensions. You have completed Specify Zone Names and Zone Labels by Using a CDE Action. You have customized a zone that is the template for cloning in Creating Labeled Zones by Using CDE Actions (Task Map). You are not currently running the zone that is your template for cloning. The Trusted_Extensions folder is displayed. For every zone that you want to create, double-click the Copy Zone action.Answer the prompts.New Zone Name: Type name of target zone From Zone Name: Type name of source zoneDo not perform other tasks while this task is completing. When the zones are created, check the status of every zone.Double-click the Zone Terminal Console action. Log in to each zone. Complete Verify the Status of the Zone. You have completed Specify Zone Names and Zone Labels by Using a CDE Action. You have completed Create ZFS Pool for Cloning Zones. You have created the zone template by completing Create ZFS Pool for Cloning Zones. You have customized a zone that is your template for cloning in Creating Labeled Zones by Using CDE Actions (Task Map). The zone that is your template for cloning is shut down. The Trusted_Extensions folder is displayed. Create a Solaris ZFS snapshot of the zone template.# cd / # zfs snapshot zone/zone-name@snapshotYou use this snapshot to clone the remaining zones. For a configured zone that is named public, the snapshot command is the following:# zfs snapshot zone/public@snapshot For every zone that you want to create, double-click the Clone Zone action.Answer the prompts.New Zone Name: Type name of source zone ZFS Snapshot: Type name of snapshot Read the information in the dialog box.Zone label is <LABEL> zone-name is ready for booting *** Select Close or Exit from the window menu to close this window *** For each zone, run the Start Zone action.Start each zone before running the action for another zone. After the zones are created, check the status of every zone.Double-click the Zone Terminal Console action. Complete Verify the Status of the Zone.