Log-in | en

Running Trusted Extensions in OpenSolaris 2009.06

Trusted Extensions is a feature of OpenSolaris 2009.06 It can be installed and configured after you have completed the default installation of OpenSolaris 2009.06 from the LiveCD, either running directly on the hardware or as a VirtualBox guest. These instructions assume that you have created a user account during the initial installation, and that root is a role that you can assume.

Install the Trusted Extensions Packages

After installing OpenSolaris 2009.06, open the Package Manager, select Trusted Extensions, then Edit->Select All.Then select Install/Update.

Workarounds

Problems with the Sysidtools and Zone Cloning

Some corrections may be necessary to enable proper system identification for labeled zones. These steps are required if you have specified a hostname other than the default opensolaris.

Use the root role to make the following edits. Be sure to make copies of the files before making any modifications.

/usr/sbin/txzonemgr

Comment out line 191 as follows:

    #initialize

Comment out line 287 as follows:

    #rm -d ${ZONE~_ETC~_DIR}/.UNCONFIGURED

Add the following line after line 45, containing zonename=""

    command=""
Labeled brand changes
    cd /usr/lib/brand/labeled
    cp ../ipkg/clone .
    cp ../ipkg/pkgcreatezone .
/usr/lib/brand/labeled/config.xml

In line 40, change the directory in the pathname from ipkg to labeled

    <install>/usr/lib/brand/**labeled**/pkgcreatezone -z %z -R %R</install>

In line 50, change the directory in the pathname from ipkg to labeled

    <clone>/usr/lib/brand/**labeled**/clone -z %z -R %R>/clone>
/usr/lib/brand/labeled/clone

Comment out line 137 as follows:

    #/usr/sbin/sys-unconfig -R $zonepath/root || fail~_incomplete "$f_sysunconfig"
/usr/lib/brand/labeled/pkgcreatezone

Comment out lines 434 and 443 as follows:

    # if [$sys_labeled -eq 0 ]; then
    ...
    #fi

Set up the Automounter (required for TX)

Edit /etc/passwd, changing your home directory from
  /export/home/you
to
  /home/you

Edit /etc/auto_home adding the following:

     \* -fstype=lofs  :/export/home/&

Make Room for the Trusted Stripe at the Top

In top GNOME panel, right click and select Properties.
Change the Orientation of the top panel to Bottom

or if you want to make this the default for all users, you can do this:

    # export SETUPPANEL="/etc/gconf/schemas/panel-default-setup.entries"
    # export TMPPANEL="/tmp/panel-default-setup.entries"
    # sed 's/<string>top<\/string>/<string>bottom<\/string>/' $SETUPPANEL > $TMPPANEL
    # cp $TMPPANEL $SETUPPANEL
    # svcadm restart gconf-cache

All new users will then have both of their panels set to the bottom of the display.

Enable Trusted Extensions

    # svcadm enable -s labeld
    # reboot

Initial Login to Trusted Extensions

After the system reboots and the gdm login window appear, select

    Options->Select Session...->Solaris Trusted Extensions (GNOME)->Change Session->Make Default

Login as yourself

Click OK twice (once for the status window and once for the clearance window)

GNOME will complain four times (once per workspace) that The label PUBLIC has no matching zone.

Dismiss each of the four dialogs.

Assume the Root Role

Switch to 4th workspace and assume root role using the pull down in the trusted stripe where your name is displayed. If the trusted stripe is not displayed, logout and login again. This is a bug that will be fixed soon.

Create the Public Zone

Bring up a Terminal and run

    # txzonemgr

There may be a usage error and/or other messages which you can ignore.

In the Labeled Zone Manager, make the following selections:

    Create a new zone...
    Enter Zone Name:  **public**
    Select Label... **PUBLIC**
    Install...
    Enter Hostname: **use the default, click OK**
    Zone Console...
    Boot

When prompted in the zone console for a hostname, use the same hostname as the global zone. Don't bother assigning a root password. Just press F2 twice.

The zone will reboot and you will be prompted to login. Instead, switch back to the Labeled Zone Manager and make the following selections:

    Halt
    Return to Main Menu
    Create a new zone
    Enter Zone Name:  **internal**
    Select Label... **CONFIDENTIAL : INTERNAL USE ONLY**
    Clone  **select public**
    Boot

Activate the Public Workspace

    Return to Main Menu
    public
    Boot

Switch back to the first workspace and bring up a Terminal. The desktop background should appear. Then bring up the Terminal again. It should be labeled PUBLIC.

Activate the Internal Workspace

Switch to the second workspace. Right-click and select Change Workspace Label...

Select INTERNAL USE ONLY", click OK.

Bring up a Terminal. Then bring up the Terminal again. This one should be labeled CONFIDENTIAL : INTERNAL USE ONLY.

Configure Trusted Networking

See Glenn Faden's blog for additional steps to configure Trusted Networking and Suspend and Resume.

last modified by admin on 2009/10/26 12:10
 
Collectives
Project

Subsites
Code Reviews
Code Repositories
Package Search
Bugster
Bugzilla
Test Machines
Planet
Mailing Lists
Elections & Polls
ARC Case Logs
Source Juicer
Package Factory
User Authentication
Community Group security Pages

© Sun Microsystems Inc. 2009
XWiki Enterprise 1.8.2.19075 - Documentation
Terms Of Use | Privacy | Trademarks | Copyright Policy | Site Guidelines | Site map | Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.