The problem is probably that your choices do not go with the all-zones interface.
The all-zones interface is for when you do NOT want different ip addresses for each zone, or when you don't want different ip addresses for each labeled zone. Under "Associating Network Interfaces with Zones" it says to only do *one* of the choices in the window: http://docs.sun.com/app/docs/doc/819-0867/6n39012o3?a=view This might not be 100% of the fix you need but it's at least a required first step. >Date: Wed, 11 Apr 2007 12:09:11 -0700 (PDT) >From: Kelley Shaw <kshaw at cdsinc.com> >Subject: [security-discuss] Labeled Zones in TX on different subnets? >To: security-discuss at opensolaris.org >Delivered-to: security-discuss at opensolaris.org >X-Original-To: security-discuss at opensolaris.org >X-OpenSolaris-URL: http://www.opensolaris.org/jive/message.jspa?messageID=109200&tstart=0#109200 >List-Unsubscribe: <http://mail.opensolaris.org/mailman/listinfo/security-discuss>, <mailto:security-discuss-request at opensolaris.org?subject=unsubscribe> >List-Id: OpenSolaris Security Discussions <security-discuss.opensolaris.org> > >Hello all, > >I am trying to configure Solaris 10 with Trusted Extensions (11/06). I have made quite a bit of progress, but I'm stuck on one part: > >I have two security levels (secret and topsecret) and I want to create one labeled zone for each level, each with its own dedicated physical interface and IP address. Furthermore, I want the IP address of each zone to be on a different subnet. So: > >global zone: 192.168.192.52 (e1000g0) >secret zone: 192.168.193.1 (e1000g2) >topsecret zone: 192.168.194.1 (e1000g3) >all-zones interface: 192.168.192.53 (vni0) > >I have gone through the process outlined in the "Solaris Trusted Exensions Installation and Conguration", starting on page 56. I get through the entire process of configuring/installing/starting the zones and all seems well. However, when I try to open any X-windows clients in either zone, I get the error: Action failed. Reconnect to Solaris Zone? > >According to page 83 of the install guide, under the heading "Labeled Zone is Unable to Access the X Server" there may be an issue with the "all-zones" interface. I did create the all-zone interface according to the instructions, so I'm not sure what the problem is. > >I went through the entire TX process again, this time, using IP addresses all on the same subnet, and everything worked correctly. However, I really want the zones to be on different subnets to isolate the single-label networks. > >Has any successfully implemented labeled zones that are different subnets >from the global zone? > >Here are dumps of my config: > >/etc/hosts: ># ># Internet host table ># >127.0.0.1 localhost >192.168.192.52 galaxy loghost >192.168.128.1 galaxy-e1000g1 # SUNRAY ADD - DO NOT MODIFY >192.168.192.53 galaxy-allzones >192.168.193.1 galaxy-e1000g2 >192.168.194.1 galaxy-e1000g3 > >tnrhdb: >0.0.0.0:admin_low >127.0.0.1:cipso >192.168.192.52:cipso >192.168.128.1:cipso >192.168.192.53:cipso >192.168.193.1:cipso >192.168.194.1:cipso > >tnrhtp: ># Default for locally plumbed interfaces >cipso:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;host_type=cipso;doi=1 ># >admin_low:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=ADMIN_LOW;host_type=unla beled;doi=1 > >tnzonecfg: >global:ADMIN_LOW:1:111/tcp;111/udp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000- 6003/tcp >secret:0x0004-08-:0:: >topsecret:0x0006-08-:0:: > >ifconfig -a output: >lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 > inet 127.0.0.1 netmask ff000000 >lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 > zone topsecret > inet 127.0.0.1 netmask ff000000 >lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 > zone secret > inet 127.0.0.1 netmask ff000000 >e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 > inet 192.168.192.52 netmask ffffff00 broadcast 192.168.192.255 > ether 0:14:4f:29:dd:9c >e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 > inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255 > ether 0:14:4f:29:dd:9d >e1000g2: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 4 > inet 0.0.0.0 netmask 0 > ether 0:14:4f:29:dd:9e >e1000g2:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 4 > zone secret > inet 192.168.193.1 netmask ffffff00 broadcast 192.168.193.255 >e1000g3: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 5 > inet 0.0.0.0 netmask 0 > ether 0:14:4f:29:dd:9f >e1000g3:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 5 > zone topsecret > inet 192.168.194.1 netmask ffffff00 broadcast 192.168.194.255 >vni0: flags=20010100c1<UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL> mtu 0 index 6 > all-zones > inet 192.168.192.53 netmask ffffff00 > > >This message posted from opensolaris.org >_______________________________________________ >security-discuss mailing list >security-discuss at opensolaris.org
