How to configure TX on a machine with GUI and fixed IP address

Trusted Extensions is optionally-enabled layer of secure labeling technology that allows data security policies to be separated from data ownership. Is based on technology called "zones" where every object in one zone has the same label. So different zones have different labels. This technology is implemented in desktop environment like Trusted CDE and Trusted JDS. More informations are on location: http://docs.sun.com/app/docs/coll/175.12

I. Install Solaris system

with an extra slice (15Gb of space) for 4 zones. This extra slice must be mounted on /zone (the directory must not have another name). In this howto, c0d1s4 will be used as an example of zone slice.

II. Create a ZFS pool:

a) Comment out the line with zone slice in /etc/vfstab

b) Umount the zone slice using the # umount /zone command

c) Create a ZFS pool with the command # zpool create -f zone c0d1s4. The -f option is neccesary because fresh installation creates a UFS filesystem on zone slice and we need to overwrite it with ZFS. If you want to check whether the pool was created correctly, use # zpool list or # zpool status. These commands will give you more information about the state of the ZFS pool.

III. Enable remote connection

If you don't do this, you will not be able to log on to your Trusted Extensions system via ssh.

a) To enable remote connection, you need to edit /etc/pam.conf. This file must contain these two lines:

other account requisite pam_roles.so.1 allow_remote
other account required pam_tsol_account.so.1 allow_unlabeled

NOTE: the first of these lines already exists (just add the last keyword), I created the other by overwriting the pam_unix_account.so.1 on the following one.

IV. Enable Trusted Extensions

On older versions of Solaris, it was necessary to install additional packages for Trusted Extensions (their location on Solaris DVD was ExtraValue/CoBundled/Trusted_Extensions/) using the "java wizard" command. But in the latest builds, these packages are installed by default, so you only need to enable labeld by using command # svcadm enable labeld and reboot. To check whether the service is enabled correctly, type # svcs labeld. Be patient, as enabling the service can take several seconds.

After the service is enabled, reboot the machine.

V. Configure Trusted Extensions

a) Open /etc/hostname.* file in a text editor and add the string
all-zones to it. The file should look like this:

hostname all-zones

where "hostname" is the hostname of the system.

b) Edit /etc/security/tsol/tnzonecfg and add the following lines:

public:0x0002-08-08:0::
internal:0x0004-08-48:0::
needtoknow:0x0004-08-68:0::
restricted:0x0004-08-78:0::

c) Edit /etc/security/tsol/tnrhdb file and add following line:

123.123.123.123:cipso

NOTE: substitute IP with your current IP adress what you can find out from output of command # ifconfig -a

d) Edit /etc/security/tsol/tnrhtp and add following lines:

public:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=0x0002-08-08;
internal:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=0x0004-08-48;
needtoknow:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=0x0004-08-68;
restricted:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=0x0004-08-78;

e) Reboot the machine

VI. Install zones

Quite fast way how to install public, intenal, needtoknow and restricted zones is use txzonemgr.

a) Choose "Create a new zone" --> OK, zone name is "public" and after choose "Install..." and press OK. This step is quite time consuming so you have time about 20minutes (depends on machine) for tee or coffee , before the zone is installed. After the installation finish enter hostname of your machine. After choose "Ready" then "Zone Console" and "Boot" After this step you have to answer some questions what are the same as in fresh installation.

b) Login in public zone and provide steps bellow

# rm /etc/auto_home_public
# netservices limited (only for s10)
# svcadm disable auditd
# svcadm disable cde-login
# exit

c) Halt the public zone and create a snapshot and after you can boot public zone again.

d) Install zones: internal, needtoknow and restricted. Choose "Return to Main Menu" and after choose in txzonemgr "Create a new zone" and enter the name "internal"/"needtoknow"/"restricted". Choose "Clone" and select zone/public@snapshot. After "Zone Console..." and "Boot"

e) Last step - Choose "Exit" item in txzonemgr and press OK.

VII. Create user with support TX

The fastest way howto create user with support of Trusted Extension is use smc, but on s10 smc doesn't work

a) Open smc (e.g.: from command line by using command smc). A lot of modules are loaded, so it take about 10minutes. <=== only for SOLARIS 11

a) On the latest builds of S10 SMC doesn't work so it is neccessary to use command "useradd" <=== only for SOLARIS 10

# useradd -d /export/home/txuser -m -s /bin/bash txuser
# passwd txuser
# echo "txuser::::lock_after_retries=no;profiles=User Management;labelview=internal,shows1;min_label=admin_low;clearance=admin_high;type=normal;roles=root;auths=solaris.label.file.*,solaris.label.win.*,solaris.device.allocate,solaris.*,win_upgrade_sl,win_downgrade_sl,file_updgrade_sl,file_downgrade_sl,win_mac_read,win_mac_write,file_dac_read,file_dac_write" >> /etc/user_attr
# reboot

After create txuser check if in each zone exist home directories for user

# zlogin -C public
# mkdir -p /export/home/txuser
# chown txuser /export/home/txuser