You might need to wait for the bug fix, not sure. Apparently the all-zones interface has to exist (only for vni0) even on a nic-per-interface system. You have to be very careful how you configure this, though.
Do you have anything later than S10_u3 on your system? Any later network patches that introduce new network features? I'll let someone more familiar with the all-zones bug answer any further questions. >Date: Wed, 11 Apr 2007 13:16:21 -0700 (PDT) >From: Jan Parcel <jan.parcel at sun.com> >Subject: Re: [security-discuss] Labeled Zones in TX on different subnets? >To: security-discuss at opensolaris.org, kshaw at cdsinc.com >Cc: >Delivered-to: security-discuss at opensolaris.org >X-Original-To: security-discuss at opensolaris.org >List-Unsubscribe: <http://mail.opensolaris.org/mailman/listinfo/security-discuss>, <mailto:security-discuss-request at opensolaris.org?subject=unsubscribe> >List-Id: OpenSolaris Security Discussions <security-discuss.opensolaris.org> > >The problem is probably that your choices do not go with the all-zones >interface. > >The all-zones interface is for when you do NOT want different ip addresses >for each zone, or when you don't want different ip addresses for each >labeled zone. > >Under "Associating Network Interfaces with Zones" it says to only do *one* >of the choices in the window: > >http://docs.sun.com/app/docs/doc/819-0867/6n39012o3?a=view > >This might not be 100% of the fix you need but it's at least a required >first step. > > >>Date: Wed, 11 Apr 2007 12:09:11 -0700 (PDT) >>From: Kelley Shaw <kshaw at cdsinc.com> >>Subject: [security-discuss] Labeled Zones in TX on different subnets? >>To: security-discuss at opensolaris.org >>Delivered-to: security-discuss at opensolaris.org >>X-Original-To: security-discuss at opensolaris.org >>X-OpenSolaris-URL: >http://www.opensolaris.org/jive/message.jspa?messageID=109200&tstart=0#109200 >>List-Unsubscribe: ><http://mail.opensolaris.org/mailman/listinfo/security-discuss>, ><mailto:security-discuss-request at opensolaris.org?subject=unsubscribe> >>List-Id: OpenSolaris Security Discussions <security-discuss.opensolaris.org> >> >>Hello all, >> >>I am trying to configure Solaris 10 with Trusted Extensions (11/06). I have >made quite a bit of progress, but I'm stuck on one part: >> >>I have two security levels (secret and topsecret) and I want to create one >labeled zone for each level, each with its own dedicated physical interface >and >IP address. Furthermore, I want the IP address of each zone to be on a >different subnet. So: >> >>global zone: 192.168.192.52 (e1000g0) >>secret zone: 192.168.193.1 (e1000g2) >>topsecret zone: 192.168.194.1 (e1000g3) >>all-zones interface: 192.168.192.53 (vni0) >> >>I have gone through the process outlined in the "Solaris Trusted Exensions >Installation and Conguration", starting on page 56. I get through the entire >process of configuring/installing/starting the zones and all seems well. >However, when I try to open any X-windows clients in either zone, I get the >error: Action failed. Reconnect to Solaris Zone? >> >>According to page 83 of the install guide, under the heading "Labeled Zone is >Unable to Access the X Server" there may be an issue with the "all-zones" >interface. I did create the all-zone interface according to the instructions, so >I'm not sure what the problem is. >> >>I went through the entire TX process again, this time, using IP addresses all >on the same subnet, and everything worked correctly. However, I really want >the >zones to be on different subnets to isolate the single-label networks. >> >>Has any successfully implemented labeled zones that are different subnets >>from the global zone? >> >>Here are dumps of my config: >> >>/etc/hosts: >># >># Internet host table >># >>127.0.0.1 localhost >>192.168.192.52 galaxy loghost >>192.168.128.1 galaxy-e1000g1 # SUNRAY ADD - DO NOT MODIFY >>192.168.192.53 galaxy-allzones >>192.168.193.1 galaxy-e1000g2 >>192.168.194.1 galaxy-e1000g3 >> >>tnrhdb: >>0.0.0.0:admin_low >>127.0.0.1:cipso >>192.168.192.52:cipso >>192.168.128.1:cipso >>192.168.192.53:cipso >>192.168.193.1:cipso >>192.168.194.1:cipso >> >>tnrhtp: >># Default for locally plumbed interfaces >>cipso:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;host_type=cipso;doi=1 >># >>admin_low:min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=ADMIN_LOW;host_type=unl a >beled;doi=1 >> >>tnzonecfg: >>global:ADMIN_LOW:1:111/tcp;111/udp;515/tcp;631/tcp;2049/tcp;6000-6003/tcp:6000 - >6003/tcp >>secret:0x0004-08-:0:: >>topsecret:0x0006-08-:0:: >> >>ifconfig -a output: >>lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 >index 1 >> inet 127.0.0.1 netmask ff000000 >>lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 >index 1 >> zone topsecret >> inet 127.0.0.1 netmask ff000000 >>lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 >index 1 >> zone secret >> inet 127.0.0.1 netmask ff000000 >>e1000g0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 >> inet 192.168.192.52 netmask ffffff00 broadcast 192.168.192.255 >> ether 0:14:4f:29:dd:9c >>e1000g1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3 >> inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255 >> ether 0:14:4f:29:dd:9d >>e1000g2: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 4 >> inet 0.0.0.0 netmask 0 >> ether 0:14:4f:29:dd:9e >>e1000g2:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 4 >> zone secret >> inet 192.168.193.1 netmask ffffff00 broadcast 192.168.193.255 >>e1000g3: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 5 >> inet 0.0.0.0 netmask 0 >> ether 0:14:4f:29:dd:9f >>e1000g3:1: flags=1000803<UP,BROADCAST,MULTICAST,IPv4> mtu 1500 index 5 >> zone topsecret >> inet 192.168.194.1 netmask ffffff00 broadcast 192.168.194.255 >>vni0: flags=20010100c1<UP,RUNNING,NOARP,NOXMIT,IPv4,VIRTUAL> mtu 0 index 6 >> all-zones >> inet 192.168.192.53 netmask ffffff00 >> >> >>This message posted from opensolaris.org >>_______________________________________________ >>security-discuss mailing list >>security-discuss at opensolaris.org > >_______________________________________________ >security-discuss mailing list >security-discuss at opensolaris.org
