Log-in | en

Running Trusted Extensions in OpenSolaris 2008.11

Trusted Extensions is a feature of OpenSolaris 2008.11 It can be installed and configured after you have completed the default installation of OpenSolaris 2008.11 from the LiveCD, either running directly on the hardware or as a VirtualBox guest. These instructions assume that you have created a user account during the initial installation, and that root is a role that you can assume.

Install the Trusted Extensions Packages

After installing OpenSolaris 2008.11, open the Package Manager, select Trusted Extensions, then Edit->Select All.Then select Install/Update

The txzonemgr shell script, in the package SUNWts may require some tweaking to work properly in OpenSolaris 2008.11 release. Use the Package Manager to determine the version number. If it is less than 0.5.11-0.104, use the root role to make the follow edits to /usr/sbin/txzonemgr:

Comment out line 286 as follows:

    #echo "root_password"=$rootpwd >> ${SYSIDCFG}

Modify line 70 as follows:

    if [[ $filesystem = '' ]] ; then

Install the Labeled Brand Files

THIS STEP SHOULD BE SKIPPED IF YOU ARE RUNNING OPENSOLARIS 2009.06 SINCE THESE FILES ARE ALREADY INCLUDED IN THE SUNWtx PACKAGE!

Download the file labeled_brand.tar into e.g., your local /tmp. then extract the file into  /usr/lib/brand:

    # (cd /tmp; wget http://blogs.sun.com/gfaden/resource/labeled~_brand.tar)
    # (cd /usr/lib/brand; tar -xvf /tmp/labeled~_brand.tar)

You must specify the labeled brand in the default template, by modifying the <zone> tag in /etc/zones/SUNWtsoldef.xml to read:

    <zone name="tsoldef" zonepath="" autoboot="true" brand="labeled">

Set up the Automounter (required for TX)

Edit /etc/passwd, changing your home directory from
  /export/home/you
to
  /home/you

Edit /etc/auto_home adding the following:

     \* -fstype=lofs  :/export/home/&

Make Room for the Trusted Stripe at the Top

In top GNOME panel, right click and select Properties.
Change the Orientation of the top panel to Bottom

or if you want to make this the default for all users, you can do this:

    # export SETUPPANEL="/etc/gconf/schemas/panel-default-setup.entries"
    # export TMPPANEL="/tmp/panel-default-setup.entries"
    # sed 's/<string>top<\/string>/<string>bottom<\/string>/' $SETUPPANEL > $TMPPANEL
    # cp $TMPPANEL $SETUPPANEL
    # svcadm restart gconf-cache

All new users will then have both of their panels set to the bottom of the display.

Enable Trusted Extensions

    # svcadm enable -s labeld
    # reboot

Initial Login to Trusted Extensions

After the system reboots and the gdm login window appear, select

    Options->Select Session...->Solaris Trusted Extensions (GNOME)->Change Session->Make Default

Login as yourself

Click OK twice (once for the status window and once for the clearance window)

GNOME will complain four times (once per workspace) that The label PUBLIC has no matching zone.

Dismiss each of the four dialogs.

Assume the Root Role

Switch to 4th workspace and assume root role using the pull down in the trusted stripe where your name is displayed. If the trusted stripe is not displayed, logout and login again. This is a bug that will be fixed soon.

Create the Public Zone

Bring up a Terminal and run

    # txzonemgr

In the Labeled Zone Manager, make the following selections:

    Create a new zone...
    Enter Zone Name:  **public**
    Select Label... **PUBLIC**
    Install...
    Enter Hostname: **use the default, click OK**
    Zone Console...
    Boot

When prompted in the zone console for a hostname, use the same hostname as the global zone.

Don't bother assigning a root password.  Just press F2.

The zone will reboot and you will be prompted to login. Instead, switch back to the Labeled Zone Manager and make the following selections:

    Halt
    Create Snapshot
    Boot
    Return to Main Menu
    Create a new zone
    Enter Zone Name:  **internal**
    Select Label... **CONFIDENTIAL : INTERNAL USE ONLY**
    Clone  **select rpool/zones/public@snapshot**
    Boot

Activate the Public Workspace

Switch back to the first workspace and bring up a Terminal. The desktop background should appear. Then bring up the Terminal again. It should be labeled PUBLIC.

Activate the Internal Workspace

Switch to the second workspace. Right-click and select Change Workspace Label...

Select INTERNAL USE ONLY", click OK.

Bring up a Terminal. Then bring up the Terminal again. This one should be labeled CONFIDENTIAL : INTERNAL USE ONLY.

Configure Trusted Networking

See Glenn Faden's blog for additional steps to configure Trusted Networking and Suspend and Resume.

last modified by admin on 2009/10/26 12:10
 
Collectives
Project

Subsites
Code Reviews
Code Repositories
Package Search
Bugster
Bugzilla
Test Machines
Planet
Mailing Lists
Elections & Polls
ARC Case Logs
Source Juicer
Package Factory
User Authentication
Community Group security Pages

© Sun Microsystems Inc. 2009
XWiki Enterprise 1.8.2.19075 - Documentation
Terms Of Use | Privacy | Trademarks | Copyright Policy | Site Guidelines | Site map | Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.