Folks, I'm trying to setup a secured build server using TX. I have TX up and running fine, but run into a problem when sharing an NFS mount from the Global ADMIN_LOW to a non-tx system. The non-tx system has a net label of admin_low. Any thoughts?
global and client are admin_low for files. Heres the client: tnctl -h 192.168.15.78:admin_low tninfo -h 192.168.15.78 IP address= 192.168.15.78 Template = admin_low I'm wondering if it could be an MLP setting - don't quite have my head around TX yet. Here's some details All: no LDAP, just files TX System: hostname: gw1, dns: gw1.dynlab.net cat /etc/security/tsol/tnzonecfg global:ADMIN_LOW:1:111/tcp;111/udp;515/tcp;631/tcp;2049/tcp;6000-6003/ tcp:6000-6003/tcp foo:0x0002-08-08:0:: bar:0x000a-08-08:0:: cat /etc/dfs/dfstab share -F nfs -o rw=tserver:tserver.dynlab.net:rlbserver,root=tserver:tserver.dynlab.net /scratch share -F nfs -o rw=tserver:tserver.dynlab.net:rlbserver,root=tserver:tserver.dynlab.net /share/install # Yea, Word Write is just for testing - no need for soap box ;) root owner with 700/770 same issue. ls -l /share/ total 3 drwxrwxrwx 2 me sys 2 Apr 21 12:30 install /etc/default/nfs settings, all others are defaults - I changed the range to just nfs v4 because of this issue. Same problems using defaults. NFSD_LISTEN_BACKLOG=32 NFSD_PROTOCOL=ALL NFSD_SERVERS=16 LOCKD_LISTEN_BACKLOG=32 LOCKD_SERVERS=20 LOCKD_RETRANSMIT_TIMEOUT=5 GRACE_PERIOD=90 NFS_SERVER_VERSMIN=4 NFS_SERVER_VERSMAX=4 NFS_CLIENT_VERSMIN=4 NFS_CLIENT_VERSMAX=4 NFS_SERVER_DELEGATION=on svcs -a|grep nfs disabled 13:51:43 svc:/network/nfs/client:default online 13:51:56 svc:/network/nfs/cbd:default online 13:51:57 svc:/network/nfs/status:default online 13:51:57 svc:/network/nfs/mapid:default online 13:51:57 svc:/network/nfs/nlockmgr:default online 13:51:58 svc:/network/nfs/rquota:default online 13:52:00 svc:/network/nfs/server:default Non-TX System: hostname: tserver, dns: tserver.dynlab.net # showmount -e gw1 export list for gw1: /scratch tserver,tserver.dynlab.net,rlbserver /share/install tserver,tserver.dynlab.net,rlbserver Both cd /net/gw1/share/install and mount -F nfs gw1:/share/install / foo fail. Tried with DNS name, fail. Both systems same DNS but NFS Domain set at default value mount -F nfs gw1.dynlab.net:/share/install /mnt nfs mount: mount: /mnt: Permission denied Supplemental info: Strange, but I tried the inverse using the client as a server to the TX and the mounting worked - same nfsd settings. Also note that the net label is working, I can ssh back and forth. Thoughts? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20070421/a4456863/attachment.html>
