Robert Bailey wrote: > So when sharing one hostname in the global zone, every local zone > needs to have the same hostname? And that hostname is the name of the > all-zones interface? > > What if I want a unique IP address per local zone, does that require > not having any interface marked as 'all-zones'?
The only real requirement is that the hostname's associated with labeled zones must correspond to valid IP addresses that the global zone can resolve. This resolution could be in /etc/hosts, /etc/inet/ipnodes, or the LDAP equivalents. There are subtle side effects if the labeled zone's hostname differs from the global zone's hostname. Most of these are related to X windows multimedia clients. If the hostname of the client and the hostname specified in the DISPLAY environment don't match, the client believes it is remote and does wierd things to get audio to work, which can't be done in TX. I don't think the zone's hostname affects auditing in TX since we audit in the global zone. Unique IP addresesses per-zone must not have the all-zones attribute. --Glenn > > On May 18, 2007, at 1:06 PM, Jan Parcel wrote: > >> The hostname for the local zone must be the same as the all-zones >> address, >> really there's no such thing as an address "in the global zone" for >> all-zones, it's really in all zones. >> >> The additional address in the local zone must be *additional* it cannot >> be the hostname. >> >> >>> Date: Fri, 18 May 2007 09:19:25 +0100 >>> From: Darren J Moffat <Darren.Moffat at sun.com> >>> Subject: Re: [security-discuss] BSM Bug? >>> To: Robert Bailey <robert.bailey at mac.com> >>> Cc: security-discuss at opensolaris.org >>> Delivered-to: security-discuss at opensolaris.org >>> X-Original-To: security-discuss at opensolaris.org >>> List-Unsubscribe: >> >> <http://mail.opensolaris.org/mailman/listinfo/security-discuss>, >> <mailto:security-discuss-request at opensolaris.org?subject=unsubscribe> >> >>> List-Id: OpenSolaris Security Discussions <security- >>> discuss.opensolaris.org> >>> >>> Robert Bailey wrote: >>> >>>> I was wondering if anyone has run into this. I have two TX systems, >>>> each with the same BSM configuration, that has zonename enabled. >>>> On one TX system I have my local zones configured to run without IP >>>> addreses. In the global, there is one IP for all-zones, one >>>> without the >>>> all-zones tag. This system can report via BSM, on all transactions >>>> within a local zone. >>>> >>>> The second system, has the same BSM configuration, but for the local >>>> zone configuration there is an IP on the local zone, the global >>>> has one >>>> with an all-zones. This system does not report any audit trail >>>> for the >>>> local zone except for one entry for zoneadmd. >>> >>> >>> Can you send the output of `auditconfig -lspolicy` for both machines. >>> Also ifconfig -a from the global zone for both machines. >>> >>> If I understand correctly you have: `auditconfig -setpolicy +zonename` >>> for both but have only a global zone audit log configured ? >>> >>> >>> >>> -- >>> Darren J Moffat >>> _______________________________________________ >>> security-discuss mailing list >>> security-discuss at opensolaris.org >> >> > > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org
