Hello all,
I am trying to configure Solaris 10 with Trusted Extensions (11/06). I have
made quite a bit of progress, but I'm stuck on one part:
I have two security levels (secret and topsecret) and I want to create one
labeled zone for each level, each with its own dedicated physical interface and
IP address. Furthermore, I want the IP address of each zone to be on a
different subnet. So:
global zone: 192.168.192.52 (e1000g0)
secret zone: 192.168.193.1 (e1000g2)
topsecret zone: 192.168.194.1 (e1000g3)
all-zones interface: 192.168.192.53 (vni0)
I have gone through the process outlined in the "Solaris Trusted Exensions
Installation and Conguration", starting on page 56. I get through the entire
process of configuring/installing/starting the zones and all seems well.
However, when I try to open any X-windows clients in either zone, I get the
error: Action failed. Reconnect to Solaris Zone?
According to page 83 of the install guide, under the heading "Labeled Zone is
Unable to Access the X Server" there may be an issue with the "all-zones"
interface. I did create the all-zone interface according to the instructions,
so I'm not sure what the problem is.
I went through the entire TX process again, this time, using IP addresses all
on the same subnet, and everything worked correctly. However, I really want the
zones to be on different subnets to isolate the single-label networks.
Has any successfully implemented labeled zones that are different subnets
from the global zone?
Here are dumps of my config:
/etc/hosts:
#
# Internet host table
#
127.0.0.1 localhost
192.168.192.52 galaxy loghost
192.168.128.1 galaxy-e1000g1 # SUNRAY ADD - DO NOT MODIFY
192.168.192.53 galaxy-allzones
192.168.193.1 galaxy-e1000g2
192.168.194.1 galaxy-e1000g3
tnrhdb:
0.0.0.0:admin_low
127.0.0.1:cipso
192.168.192.52:cipso
192.168.128.1:cipso
192.168.192.53:cipso
192.168.193.1:cipso
192.168.194.1:cipso
tnrhtp:
# Default for locally plumbed interfaces
cipso:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;host_type=cipso;doi=1
#
admin_low:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=ADMIN_LOW;host_type=unlabeled;doi=1
tnzonecfg:
global:ADMIN_LOW:1:111/tcp;111/udp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000-6003/tcp
secret:0x0004-08-:0::
topsecret:0x0006-08-:0::
ifconfig -a output:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
zone topsecret
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
zone secret
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.192.52 netmask ffffff00 broadcast 192.168.192.255
ether 0:14:4f:29:dd:9c
e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255
ether 0:14:4f:29:dd:9d
e1000g2: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 4
inet 0.0.0.0 netmask 0
ether 0:14:4f:29:dd:9e
e1000g2:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 4
zone secret
inet 192.168.193.1 netmask ffffff00 broadcast 192.168.193.255
e1000g3: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 5
inet 0.0.0.0 netmask 0
ether 0:14:4f:29:dd:9f
e1000g3:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 5
zone topsecret
inet 192.168.194.1 netmask ffffff00 broadcast 192.168.194.255
vni0: flags=20010100c1<UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL> mtu 0 index 6
all-zones
inet 192.168.192.53 netmask ffffff00
This message posted from opensolaris.org
