OpenSolaris

You are not signed in. Sign in or register.

Installing the Solaris Trusted Extensions Software on a Laptop Computer

These instructions describe how to enable and configure a laptop system with the Solaris[tm] Trusted Extensions software to run in both connected and disconnected modes. These directions do not apply to previous Solaris 10 updates, nor to opensolaris.2008.05. Instructions for an upcoming opensolaris version will be available soon. The Solaris Trusted Extensions software is automatically installed beginning with the release of the Solaris 10 05/08 (update 5) Operating System and in Nevada builds starting with 76.

This page includes the following tasks, which should be followed in this order:

How to Install and Configure the Solaris Operating System

  1. Start the Solaris installation process by booting a Solaris DVD or booting from the network.

  2. Follow the instructions in the installation wizard to build the installation profile.

    Use the default values to build the profile.

    Note - You must reserve a file system slice that has at least 2 Gbytes of free space and call it /zone.

  3. Install the Solaris software.

  4. After the Solaris installation completes, use the /zone slice to create a ZFS pool by doing the following:

    1. Unmount the /zone slice.

      # umount /zone

    2. Edit the /etc/vfstab file by commenting out the /zone entry.

    3. Create the pool.

      # zpool create -f zone slicename

      slicename should be of the format cndnsn.

  5. This configuration uses a single shared all-zones interface for both the global zones and labeled zones. The default network label is PUBLIC unless you are connecting to the Sun Wide Area Network.

    The networking configuration steps are different for Solaris 10 updates and for Nevada. For Solaris 10 you will use an application called inetmenu, to manually select your networking options. Nevada includes a service called Network AutoMagic, nwam which automatically handles changes to your wired or wireless network.

    If you are running Solaris 10 update 5, follow these instructions:

    1. Create a directory called /opt/tx in which to download the inetmenu package and its Trusted Extensions modifications.

      Caution - Do not install these packages or modifications at this time.

    2. Download the inetmenu package from the Laptop Community page on the OpenSolaris web site.

      The file is called inetmenu-1.9.pkg.gz.

      3. Caution - The inetmenu program might be replaced with another utility in the future.

    3. Download the inetmenu modifications from the Trusted Extensions page on the OpenSolaris web site.

      These modifications enable the inetmenu script to operate properly on a system that runs the Solaris Trusted Extensions software.

      The file is called inetmenu-tx.tar.

    4. Remove any network interface configuration files, such as /etc/hostname.* and /etc/dhcp.*.

      # rm /etc/hostname.*
      # rm /etc/dhcp.*

    5. Update your /etc/hosts and /etc/inet/ipnodes as follows:

      127.0.0.1 localhost loghost
      10.1.2.3 your-hostname

    6. Create the /etc/nodename file.

      # hostname >/etc/nodename

    7. Add the following entry to the /etc/security/tsol/tnrhdb file:

      10.1.2.3:cipso

    8. Specify the virtual network interface (vni) for your system by adding the following to the /etc/hostname.vni0 file.

      # echo `hostname` all-zones >>/etc/hostname.vni0

      For more information, see the vni(7) man page.

    9. Add the following to the LOCAL DEFINITIONS section of the /etc/security/tsol/label_encodings file.

      Default Label View is Internal;

      This step addresses a problem with the default translation mode for the admin_low and admin_high labels.

    10. (Optional) If your system has NIS enabled, disable it by doing the following:

      # cp /etc/nsswitch.files /etc/nsswitch.conf
      # mv /var/yp /var/yp.save

    6. If you are running a Nevada build, follow these instructions:

    1. Download the tx-nwam scripts from tx-nam.tar to the directory /etc/nwam. Don't extract the tarball yet.

    2. Edit the file /usr/dt/config/Xinitrc.tjds, to explicitly set the DISPLAY variable prior to invoking gnome-session


      DISPLAY=localhost:0

      export DISPLAY

      PATH=/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/X11/bin:/usr/dt/bin:/usr/sfw/bin

      The DISPLAY setting is required because of recent changes (build 85) in Xlib which no longer use TCP sockets if the DISPLAY hostname matches the string returned by the hostname command. The PATH setting is suggested as a convenience, especially when assuming roles.

    How to Enable the Solaris Trusted Extensions Software

    1. To enable Trusted Extensions, run the following command:

      2. # svcadm enable -s labeld

    2. Reboot the system.

      When the reboot completes, the system is running the Solaris Trusted Extensions software.

    How to Configure Your Trusted Extensions System

    1. Log in to Trusted Extensions JDS (GNOME) as superuser.

    2. Open a terminal window.

    3. Get the network interface status.

      # ifconfig -a

      Verify that you have at least one all-zones interface.

      If you are running Solaris 10 update 5, you should see that the IP address for the vni0 interface is the same as the one you specified in the hosts and ipnodes files. Also, the vni0 interface should include the all-zones option.

      If you are running Nevada, you should see that lo0, the loopback interface, is all-zones.

    4. Start the Solaris Management Console.

      # smc &

      1. From the Toolboxes menu, select the entry for your system that shows Scope=Files, Policy=TSOL.

      2. Click Open.

    5. Add yourself as a normal user.

      1. From the Navigation bar, select System Configuration, and then double-click the Users icon.

        The login window opens.

      2. Log in as root.

      3. Click User Accounts, and then select Add User With Wizard from the Action menu.

        Follow the instructions to add the user.

    6. After your account is created, double click your user icon to modify settings.

      1. (Optional) If you are going to be doing demonstrations, open the Rights tab and add these rights:

        • Object Label Management

        • Device Management

      2. Open the Trusted Extensions Attributes tab and modify these items:

        1. Set the Clearance value to CONFIDENTIAL RESTRICTED.

        2. Set the Lock Account After Maximum Failed Logins value to No.

        3. Set the Idle Time value to Forever.

        4. Click OK.

    7. Edit the /etc/user_attr file to append the following to your user entry:

      ;roles=root

      This step is a temporary workaround until you have verified that your system is working correctly. At that time, you should configure root as a role.

    8. Create security templates for the public and internal zones.

      1. From the Navigation bar, select System Configuration, and then double-click the Computers and Networks icon.

      2. Click Security Templates, and then choose Add Template from the Action menu.

      3. Specify the template name as public.

      4. Set the default label to PUBLIC.

      5. Set the Domain of Interpretation value to 1.

      6. Click OK.

      7. Choose Add Template from the Action menu.

      8. Specify the template name as internal.

      9. Set the default label to CONFIDENTIAL : INTERNAL USER ONLY.

      10. Set the Domain of Interpretation value to 1.

      11. Click OK.

    9. Manually update the kernel cache with trusted networking parameter values.

      # tnctl -T /etc/security/tsol/tnrhtp

    10. Exit the Solaris Management Console.

    How to Create the Labeled Zones

    1. Run the txzonemgr script and follow each of these steps.

      Note - You must click OK each time to continue.

    2. Create a new zone called public.

      1. Select Create A New Zone and click OK.

      2. Specify the zone name of public.

      3. Choose Select_Label and click OK.

      4. Choose PUBLIC.

      5. Choose Install to install the public zone.

        A window opens to show you the progress of the zone installation process.

      6. Choose Zone_Console to open the zone console window.

      7. Choose Boot to boot the zone.

        The public zone is rebooted automatically.

      The public zone will reboot again automatically.

    3. From the zone terminal console window, log in as superuser and run the following commands:

      • Run these commands on a Solaris 10 system:

        # rm /etc/auto_home_public
        # netservices limited
        # svcadm disable auditd
        # svcadm disable cde-login
        # exit

      • Run these commands on a Nevada system:

        # rm /etc/auto_home_public
        # svcadm disable auditd
        # svcadm disable cde-login
        # exit

    4. From txzonemgr, create the internal, needtoknow, and restricted zones.

      1. Choose Halt to halt the public zone.

      2. Choose Create_Snapshot to create a snapshot of the public zone.

      3. Choose Boot to boot the public zone.

      4. Choose Select Another Zone and click OK.

      5. Choose Create A New Zone and click OK.

      6. Name the new zone internal.

      7. Choose Select_Label and specify a value of CONFIDENTIAL : INTERNAL USE ONLY.

      8. Choose Clone and select zone/public@snapshot.

      9. Choose Zone_Console to open the zone console for the new zone.

      10. Choose Boot to boot the new zone.

      11. Repeat Steps d-j for the needtoknow and restricted zones, which use labels CONFIDENTIAL : NEED TO KNOW and CONFIDENTIAL : RESTRICTED, respectively.

      12. Choose Exit to exit the txzonemgr program.

    How to Install and Use inetmenu

    If you are running Solaris 10 update 5, you should have downloaded these files from the OpenSolaris web site to the /opt/tx directory of the laptop you are installing:

    • inetmenu-1.9.pkg.gz

    • inetmenu-tx.tar

    Caution - The inetmenu program might be replaced with another utility in the future.

    1. Become superuser.

    2. Change to the /opt/tx directory.

    3. Unzip and install the inetmenu software.

      # gunzip inetmenu-1.9.pkg.gz
      # pkgadd -d inetmenu-1.9.pkg

    4. Apply the Trusted Extensions modifications to inetmenu.

      # cd /; tar xvf /opt/tx/inetmenu-tx.tar

    5. Run inetmenu.

      # inetmenu

    6. Select the DHCP-NoNIS option.

      Now, your network should be up with PUBLIC as the default label. You can run txzonemgr to verify that it is all-zones.

    How to Configure and Use nwam

    If you are running Nevada, you should have downloaded the nwam scripts from the OpenSolaris web site to the /etc/nwam directory of the laptop you are installing. Extract them as follows:

    # cd /etc/nwam; tar xvf tx-nwam.tar

    These scripts will be run by the nwam daemon at boot time or when changes to your wired or wifi connections are detected. The scripts also configures your network labels based on your domain name. In the file ulp/check-conditions, there is a variable INTERNAL_DOMAIN which is set to sun.com. If your DHCP domain suffix matches this INTERNAL_DOMAIN setting, the default network label will be set to that of the internal zone. Otherwise, it will be set to the label of the public zone. Only one zone at a time can access the Internet.

    Now edit the file /etc/hosts and add the following entry:

    127.0.0.2 mynfs

    The interface associated with mynfs will be private to the global zone, but will be accessible from all labeled zones. It can be used to share NFS mounts between zones. See the Administrator's Guide for more information.

    How to Run Trusted Extensions as a Normal User

    For most users, the public zone should provide network connectivity. However, if you are connected to the Sun Wide Area Network, the default label is CONFIDENTIAL : INTERNAL USE ONLY, so you must use the internal zone.

    1. Log out as superuser.

    2. Log in as yourself.

      Choose the windowing system to use: Trusted Extensions CDE or Trusted Extensions Java[tm] Desktop System. CDE is no longer available in Nevada.

    3. Verify that you can assume the root role.

      You will need to assume this role to run inetmenu.