Running Trusted Extensions using the OpenSolaris Dev Repository

Running Trusted Extensions using OpenSolaris Dev Repository

Trusted Extensions is a feature of OpenSolaris. As such it is continuously updated in the dev (development) repository. The procedures for installing and configuring Trusted Extensions are specific to particular releases  This document will be updated as necessary, corresponding to the most recent version in the Dev repository. These notes are currently based on 0.5.11-0.125 (build 125).

The latest media release of OpenSolaris is 2009.06, so you should start with the LiveCD for the release. These instructions assume that you have created a user account during the initial installation, and that root is a role that you can assume. After you have completed the default installation of OpenSolaris 2009.06 (either running directly on the hardware or as a VirtualBox guest) you should start the Package Manager. Select File->Manage Repositories. Select the opensolaris.org repository and click Modify. Change the  URL to http://pkg.opensolaris.org/dev/ and click OK. Then click on Update All to create a new boot environment running the latest bits in the Dev repository. Note that you can always boot back to the 2009.06 distribution if the you have a problem with the newly installed system.

Install the Trusted Extensions Package

After upgrading to the latest Dev release, and rebooting the system, open the Package Manager again to get the Trusted Extensions package. Enter trusted in the Search text area to get a list of Trusted Extensions packages. Select  trusted-extensions . Then select Install/Update.

There is also a new trusted-nonglobal package which  enumerates the initial set of packages required in a labeled brand zone to run the Trusted Desktop. This will be retrieved from the respository when you install your first zone. Note that the inherit-pkg-dir option is no longer supported. Instead, the package requirements are specified as part of the labeled zone brand.

Workarounds

Set up the Automounter (required for TX)

Edit /etc/passwd, changing your home directory from

    /export/home/you

to

    /home/you

Edit /etc/auto_home adding the following:

    * -fstype=lofs :/export/home/&

Make Room for the Trusted Stripe at the Top

In the top GNOME panel, right click and select Properties.
Change the Orientation of the top panel to Bottom

or if you want to make this the default for all users, you can do this:

    # export SETUPPANEL="/etc/gconf/schemas/panel-default-setup.entries"
    # export TMPPANEL="/tmp/panel-default-setup.entries"
    # sed 's/>top</>bottom</' $SETUPPANEL > $TMPPANEL
    # cp $TMPPANEL $SETUPPANEL
    # svcadm restart gconf-cache

All new users will then have both of their panels set to the bottom of the display.

Mounting and Unmounting the Zone Boot Environments

Zones now have boot environments similar to the global zone functionality, with dataset names like rpool/zones/public/ROOT/zbe. The boot environment is supposed to be unmounted when a zone is halted and re-mounted when it is made ready. There is bug that is causing the umount to fail:

     6872581 zfs unmount fails with "device busy" if lofs mount/unmount was done on top of it. 

The workaround is to edit the shell script /usr/lib/brand/ipkg/poststate, adding a -f option to force the umount, as follows:

        # Umount dataset on the root.
        /usr/sbin/umount -f $zonepath/root || fail**fatal "$f**umount"

Screensaver Crashing the X Server

There is a bug in the Xorg screensaver policy that results in a SEGV. The workaround is to disable it. Select System->Preferences->Screensaver and then select Disable Screen Saver from the Mode menu.

Enable Trusted Extensions

    # svcadm enable -s labeld
    # reboot

Initial Login to Trusted Extensions

After the system reboots and the gdm login window appear, select

    Options
    Select Session...
    Solaris Trusted Extensions (GNOME)
    Change Session
    Make Default

Login as yourself

Click OK twice (once for the status window and once for the clearance window). There seems to be a problem using the keyboard in these dialogs, so just use the mouse.

GNOME will complain four times (once per workspace) that The label PUBLIC has no matching zone.

Dismiss each of the four dialogs.

Assume the Root Role

Switch to 4th workspace and assume root role using the pull down in the trusted stripe where your name is displayed.

Creating the Public Zone

Bring up a Terminal and run

    # txzonemgr

Assuming you have not created any zone yet, you should see the following dialog:

     Do you want to create the public zone using default settings?

Click OK. A Terminal window should pop up displaying the title Installing public zone. After this completes and exits, another Terminal window displaying the title Zone Terminal Console: public should pop up. The zone should automatically boot, initialize and prompt for the root password. Enter F2 twice since the password is automatically the same as the current root password in the global zone. The zone will reboot again. There may be a message about the DNS multicast service failing which can be ignored, or you can disable the service by entering the command:

    # svcadm disable multicast

You should also see a zenity dialog showing the state and options for the public zone. Select the following:

    Halt

You should see the message Notice: Zone Halted in the Zone Console window. In public zone options list, pick the following:

    Select another zone...

Global Zone Configurations

Select the global zone. Then select

    Configure Network Interfaces..

Select the interface corresponding to your hostname. It should be listed with a type of physical, a valid IP address, a template of cipso and the state  Up. From the list of commands, select

    Share with Shared-IP Zones

Then select Cancel to pop back to the global zone command list. If you have other systems running Trusted Extensions on your network, you can add access to them by selecting

    Add Multilevel Access to Remote Host...

and entering the IP address of the other TX system. You will need to run the corresponding commands on that system, too, specifying the peer's IP address. As a test of txzonemgr, you can add and delete entries to the single and multilevel remote host lists. Verify the lists are updated with the values you have entered.

Cloning a Snapshot of the Public Zone

The public zone should still be halted. Select

    Create a new zone...

You should be prompted to

      Enter Zone Name:

Enter  snapshot as the zone name. Then you should see a list of options for the snapshot zone. Choose

    Clone...

You should see the name public in the list of installed zones. Select public by doubling clicking it or by single clicking and clicking OK. The snapshot zone is not supposed to be run automatically, so select

    Set Manual Booting

The snapshot zone doesn't need a label since it is never booted. Verify the Boot option is not available.

Shared Interface Networking

    Select another zone

and choose public*. Select the following:

    Add Single-level Access to Remote Host...

Enter the IP address of a system on your network not running TX. Then enter

    Boot

You see the zone booting messages in the Zone Console window. Login as root, and run 

    ifconfig -a

Verify that the primary interface and IP address are available in this zone. Verify that you can ping the host to which you previously added remote access. Now logout and close the Zone Console window.

Cloning the Internal Zone from the Snapshot

Switch back to the Labeled Zone Manager. Make the following selections:

    Select another zone

Choose global and then select

    Create a  new zone:

You should be prompted to

    Enter Zone Name:

Specify internal. Then you should see a list of options for the internal zone.  Choose

    Select Label...

A label selection dialog should pop up. Select :INTERNAL USE ONLY from the Sensitivity column, and click OK.

In the list of options for the internal zone, select

    Clone...

Then select snapshot from the list of installed zones. It should be the only item in the list. Then select

    Boot

Activate the Public and Internal Workspaces

Switch back to the first workspace and bring up a Terminal. The desktop background should appear. Then bring up the Terminal again. It should be labeled PUBLIC.

Switch to the second workspace. Right-click and select Change Workspace Label...

Select INTERNAL USE ONLY", click OK.

Bring up another Terminal. This one should be labeled CONFIDENTIAL : INTERNAL USE ONLY.

Configure Trusted Networking

There are several strategies for configuring your network. These are described in the test plan for the Labeled Zone Manager.

Also see Glenn Faden's blog for additional steps to configure Trusted Networking and Suspend and Resume.