Trusted Exensions already includes this functionality, although the implementation is not exactly what is being requested in this thread. In the case of Trusted Extensions, the global zone administrator determines which labeled zone directories may be exported via NFS. There is unique dfstab fiile for each labeled zone, but these files are not only visible and managed from the global zone. When a zone is booted (or made ready) its unique dfstab files is processed by the zoneadm daemon (in the global zone) and the appropriate directories are shared. When the zone is halted, the entries in the zone's dfstab are unshared.

The MLS policy is automatically enforced in the kernel. Remote NFS clients must dominate the the zone's label to do read-only mounts of the labeled zone's exports. Label equality is required for remote read-write mounts.

Although the implementation is probably adequate for current customers moving from Trusted Solaris 8, it has several limitations. For example, as Darren pointed out, secure NFS using Kerberos doesn't work well because we don't yet have a multilevel KDC. Another issue is that the labeled zone automounters can't use LOFS to mount directories exported from other zones running on the same host as themselves. Using NFS to mount a locally exported filesystem may cause a deadlock. There is a bug recorded about this for UFS, but I don't know if it has been seen with ZFS exports.

If you have specific issues about Trusted Extensions, you should use the security-discuss forum instead of zone-discuss or nfs-discuss.


Josh Fisher wrote:

Our company is a current consumer of Trusted Solaris 8 and we will be 
converting to Solaris 10 with TX. For the conversion to be final however we 
must wait for the Common Criteria EAL4+ CAPP, RBAC, and LSPP release of Solaris 
10 with TX. We are currently using Solaris 10 Update 3 for testing. In Trusted 
Solaris 8 our data is seperated into clearances which range from unclass to 
Secret with compartments. Some of the classified data is shared out to other 
classified systems. In Solaris 10 with TX we will seperate our clearances with 
labeled zones. This is our reason nfs server functionality is needed in zones 
in Solaris 10 with TX. We will have classified data which only resides in a 
labeled zone which will need to be shared out to other systems with the same 
clearance. If any of this is confusing I will try to explain better if need be. 

This message posted from
zones-discuss mailing list
zones-discuss mailing list

Reply via email to