Mike John wrote: > I'd appreciate some clarification of the use of the admin_low label in TX. > > > In order for the configuration files to be labelled admin_low, must > there exist a zone with label admin_low to contain them, or can they > exist with label admin_low within the global zone? > By default, all the files in the global zone are labeled ADMIN_HIGH. However, when at least one non-global zone is booted with a lofs or inherited-pkg-dir reference to a global zone directory, the specified directory and everything under it is labeled ADMIN_LOW. Similarly, if you export a directory via NFS from the global zone, it is labeled ADMIN_LOW.
For more background, see the white paper Multilevel Filesystems in Solaris Trusted Extensions on OpenSolaris: http://opensolaris.org/os/community/security/projects/tx/sacmat04s-faden-1.pdf > > Also, what does it mean to "assume a role at label admin_low" in a TX > world? Does there need to be zone with label admin_low to support this? > You can not assume a role at ADMIN_LOW in TX. When assuming a role that has a label range of ADMIN_LOW to ADMIN_HIGH, your process label will be ADMIN_HIGH. But files within the global zone are protected by DAC, not MAC, so you will be able to write ADMIN_LOW files if you have DAC permission and the file is mounted in writable file system. For this reason, and others, we don't allow untrusted users into the global zone. However, if you really want to enforce a MAC policy on ADMIN_LOW files, you can remount them using a lofs read-only mount in vfstab. For example, you can specify that /usr is read-only even in the global zone by creating an entry in /etc/vfstab that mounts /usr on /usr as a read-only lofs mount point. You will need to reboot for this to take effect, or to undo it. --Glenn
