Document Information
Preface
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone in Trusted Extensions
Creating Labeled Zones
Adding Network Interfaces and Routing to Labeled Zones
Creating Roles and Users in Trusted Extensions
Creating Home Directories in Trusted Extensions
Adding Users and Hosts to an Existing Trusted Network
Additional Trusted Extensions Configuration Tasks
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Tasks)
A. Site Security Policy
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Common Security Violations
Additional Security References
B. Using CDE Actions to Install Zones in Trusted Extensions
Associating Network Interfaces With Zones by Using CDE Actions (Task Map)
Preparing to Create Zones by Using CDE Actions (Task Map)
Creating Labeled Zones by Using CDE Actions (Task Map)
C. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
D. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
E. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Solaris Man Pages That Are Modified by Trusted Extensions
Glossary
Index
|
Troubleshooting Your Trusted Extensions Configuration
In Trusted Extensions, the labeled zones communicate with the X server through the
global zone. Therefore, the labeled zones must have usable routes to the global
zone. Also, options that were selected during a Solaris installation can prevent Trusted
Extensions from using interfaces to the global zone.
netservices limited Was Run After Trusted Extensions Was Enabled
- Description:
Instead of running the netservices limited command before you enabled Trusted Extensions, you ran the command in the global zone afterwards. Therefore, your labeled zones are unable to connect to the X server in the global zone. - Solution:
Run the following commands to open the services that Trusted Extensions requires to communicate between zones: # svccfg -s x11-server setprop options/tcp_listen = true
# svcadm enable svc:/network/rpc/rstat:default
Cannot Open the Console Window in a Labeled Zone
- Description:
When you attempt to open a console window in a labeled zone, the following error appears in a dialog box: Action:DttermConsole,*,*,*,0 [Error]
Action not authorized. - Solution:
Verify that the following two lines are present in each of the zone entries in the /etc/security/exec_attr file: All Actions:solaris:act:::*;*;*;*;*:
All:solaris:act:::*;*;*;*;*: If these lines are not present, the Trusted Extensions package that adds these entries was not installed in the labeled zones. In this case, re-create the labeled zones. For the procedure, see Creating Labeled Zones.
Labeled Zone Is Unable to Access the X Server
- Description:
If a labeled zone cannot successfully access the X server, you might see messages such as the following:
- Cause:
The labeled zones might not be able to access the X server for any of the following reasons:
The zone is not initialized and is waiting for the sysidcfg process to complete. The labeled zone's host name is not recognized by the naming service that runs in the global zone. No interface is specified as all-zones. The labeled zone's network interface is down. LDAP name lookups fail. NFS mounts do not work.
- Steps toward a solution:
Do the following:
Log in to the zone. You can use the zlogin command or the Zone Terminal Console action. # zlogin -z zone-name If you cannot log in as superuser, use the zlogin -S command to bypass authentication. Verify that the zone is running. # zoneadm list If a zone has a status of running, the zone is running at least one process. Address any problems that prevent the labeled zones from accessing the X server.
Initialize the zone by completing the sysidcfg process. Run the sysidcfg program interactively. Answer the prompts in the Zone Terminal Console, or in the terminal window where you ran the zlogin command. To run the sysidcfg process noninteractively, you can do one of the following:
Specify the Initialize item for the /usr/sbin/txzonemgr script. The Initialize item enables you to supply default values to the sysidcfg questions. Write your own sysidcfg script. For more information, see the sysidcfg(4) man page.
Verify that the X server is available to the zone. Log in to the labeled zone. Set the DISPLAY variable to point to the X server, and open a window. # DISPLAY=global-zone-hostname:n.n
# export DISPLAY
# /usr/openwin/bin/xclock If a labeled window does not appear, the zone networking has not been configured correctly for that labeled zone.
Note - If you are running Trusted CDE starting with the Solaris 10 5/09 release, see Resolve Local Zone to Global Zone Routing in Trusted CDE.
Configure the zone's host name with the naming service. The zone's local /etc/hosts file is not used. Instead, equivalent information must be specified in the global zone or on the LDAP server. The information must include the IP address of the host name that is assigned to the zone. No interface is specified as all-zones. Unless all your zones have IP addresses on the same subnet as the global zone, you might need to configure an all-zones (shared) interface. This configuration enables a labeled zone to connect to the X server of the global zone. If you want to restrict remote connections to the X server of the global zone, you can use vni0 as the all-zones address. If you do not want an all-zones interface configured, you must provide a route to the global zone X server for each zone. These routes must be configured in the global zone. The labeled zone's network interface is down. # ifconfig -a Use the ifconfig command to verify that the labeled zone's network interface is both UP and RUNNING. LDAP name lookups fail. Use the ldaplist command to verify that each zone can communicate with the LDAP server or the LDAP proxy server. On the LDAP server, verify that the zone is listed in the tnrhdb database. NFS mounts do not work. As superuser, restart automount in the zone. Or, add a crontab entry to run the automount command every five minutes.
|
