Piotr Jasiukajtis wrote: > Hi, > > I play with simple Trusted Extensions setup with 2008.11 in VirtualBox. > I have an issue with network setup in labeled non-global zones. > > My interface e1000g0 is visible in PUBLIC zone and has shared IP but I > can't even ping anything. Network works only from the global zone. > My gateway is not CIPSO aware. > > Could you describe how can I enable network traffic from labeled zones? >
VBOX may have problem with 'ping' as it may not support raw socket. Commands like ssh (and other protocols) work. Some configuration is needed for a labeled zone. In general, if you want connectivity from a labeled zone, e.g. PUBLIC, you need to assign a "public" template to the network you are communicating. You can do that in /etc/security/tsol/tnrhdb file, e.g. change the entry from 0.0.0.0:admin_low to 0.0.0.0:public Also make sure you have the "public" template defined in /etc/security/tsol/tnrhtp file. You can create the "public" entry by duplicate the "admin_low" entry and change the template name to "public" and change its default label to 0x0002-08-08 (the hex form of PUBLIC). After you've done the configuration, you may restart the TX networking service if you don't want to reboot, e.g. # svcadm restart tnctl A sample tnrhtp file looks like this: # The following is the default template used on the system. # #_unlab:host_type=unlabeled;doi=1;def_label=ADMIN_LOW;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH # # Default for locally plumbed interfaces cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH; # admin_low:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=ADMIN_LOW; public:host_type=unlabeled;doi=1;def_label=0x0002-08-08;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH internal:host_type=unlabeled;doi=1;def_label=0x0004-08-48;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH needtoknow:host_type=unlabeled;doi=1;def_label=0x0004-08-68;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH restricted:host_type=unlabeled;doi=1;def_label=0x0004-08-78;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH Good luck. Jarrett > >
