Hi, Thanks for help, it works now :)
Jarrett Lu pisze: > Piotr Jasiukajtis wrote: >> Hi, >> >> I play with simple Trusted Extensions setup with 2008.11 in VirtualBox. >> I have an issue with network setup in labeled non-global zones. >> >> My interface e1000g0 is visible in PUBLIC zone and has shared IP but I >> can't even ping anything. Network works only from the global zone. >> My gateway is not CIPSO aware. >> >> Could you describe how can I enable network traffic from labeled zones? >> > > VBOX may have problem with 'ping' as it may not support > raw socket. Commands like ssh (and other protocols) work. > Some configuration is needed for a labeled zone. In general, > if you want connectivity from a labeled zone, e.g. PUBLIC, > you need to assign a "public" template to the network you > are communicating. You can do that in /etc/security/tsol/tnrhdb > file, e.g. change the entry from > 0.0.0.0:admin_low > to > 0.0.0.0:public > > Also make sure you have the "public" template defined in > /etc/security/tsol/tnrhtp file. You can create the "public" > entry by duplicate the "admin_low" entry and change the > template name to "public" and change its default label > to 0x0002-08-08 (the hex form of PUBLIC). > > After you've done the configuration, you may restart the TX > networking service if you don't want to reboot, e.g. > # svcadm restart tnctl > > A sample tnrhtp file looks like this: > # The following is the default template used on the system. > # > #_unlab:host_type=unlabeled;doi=1;def_label=ADMIN_LOW;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH > > # > # Default for locally plumbed interfaces > cipso:host_type=cipso;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH; > # > admin_low:host_type=unlabeled;doi=1;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH;def_label=ADMIN_LOW; > > public:host_type=unlabeled;doi=1;def_label=0x0002-08-08;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH > > internal:host_type=unlabeled;doi=1;def_label=0x0004-08-48;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH > > needtoknow:host_type=unlabeled;doi=1;def_label=0x0004-08-68;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH > > restricted:host_type=unlabeled;doi=1;def_label=0x0004-08-78;min_sl=ADMIN_LOW;max_sl=ADMIN_HIGH > > > Good luck. > > Jarrett > >> >> > -- Regards, Piotr Jasiukajtis | estibi | SCA OS0072 http://estseg.blogspot.com
