zonesmanaging zonesin Trusted Extensions This chapter describes how non-global zones work on a system that is configured with Solaris Trusted Extensions. Also included are procedures that are unique to zones in Trusted Extensions.Zones in Trusted Extensions Global Zone Processes and Labeled Zones Zone Administration Utilities in Trusted Extensions Managing Zones (Task Map) global zonedifference from labeled zoneszonesglobalA properly configured Trusted Extensions system consists of a global zone, which is the operating system instance, and one or more labeled non-global zones. During configuration, Trusted Extensions attaches a unique label to each zone, which creates labeled zones. The labels come from the label_encodings file. The administrators can create a zone for each label, but are not required to. It is possible to have more labels than labeled zones on a system. It is not possible to have more labeled zones than labels.directoriesaccessing lower-levelaccessinghome directorieshome directoriesaccessingOn a Trusted Extensions system, the file systems of a zone are usually mounted as a loopback file system (lofs). All writable files and directories in a labeled zone are at the label of the zone. By default, a user can view files that are in a zone at a lower label than the user's current label. This configuration enables users to view their home directories at lower labels than the label of the current workspace. Although users can view files at a lower label, they cannot modify them. Users can only modify files from a process that has the same label as the file.In Trusted Extensions, the global zone is an administrative zone. The labeled zones are for regular users. Users can work in a zone whose label is within the user's accreditation range.Every zone has an associated IP address and security attributes. A zone can be configured with multilevel ports (MLPs). Also, a zone can be configured with a policy for Internet Control Message Protocol (ICMP) broadcasts, such as ping.For information about sharing directories from a labeled zone and about mounting directories from labeled zones remotely, see Chapter 17, Managing and Mounting Files in Trusted Extensions (Tasks).Zones in Trusted Extensions are built on the Solaris zones product. For details, see Part II, Zones, in System Administration Guide: Virtualization Using the Solaris Operating System. In particular, patching and package installation issues affect Trusted Extensions. For details, see Chapter 24, About Packages and Patches on a Solaris System With Zones Installed (Overview), in System Administration Guide: Virtualization Using the Solaris Operating System and Chapter 28, Troubleshooting Miscellaneous Solaris Zones Problems, in System Administration Guide: Virtualization Using the Solaris Operating System.Your initial setup team assigned IP addresses to the global zone and the labeled zones. Three types of configurations are documented in Creating Labeled Zones:The system has one IP address for the global zone and all labeled zones.This configuration is useful on a system that uses DHCP software to obtain its IP address. If no users are expected to log in, an LDAP server might have this configuration. The system has one IP address for the global zone, and one IP address that is shared by all zones, including the global zone. Any zone can have a combination of a unique address and a shared address.This configuration is useful on a system that regular users are going to log in to. It can also be used for a printer or an NFS server. This configuration conserves IP addresses. The system has one IP address for the global zone, and each labeled zone has a unique IP address.This configuration is useful for providing access to separate physical networks of single-level systems. Typically, each zone would have an IP address on a different physical network from the other labeled zones. Because this configuration is implemented with a single IP instance, the global zone controls the physical interfaces and manages global resources, such as the route table. With the introduction of exclusive IP instances for a non-global zone, a fourth type of configuration is available in the Solaris OS. In the Solaris Express Community Edition, a non-global zone can be assigned its own IP instance and manage its own physical interfaces. In this configuration, each zone operates as if it is a distinct system. For a description, see Zone Network Interfaces in System Administration Guide: Virtualization Using the Solaris Operating System.However, in such a configuration, each labeled zone operates as if it is a distinct single-labeled system. The multilevel networking features of Trusted Extensions rely on features of a shared IP stack. Administration procedures in Trusted Extensions assume that networking is controlled entirely by the global zone. Therefore, if your initial setup team has installed labeled zones with exclusive IP instances, you must provide or refer to site-specific documentation. By default, a zone cannot send packets to and receive packets from any other zone. Multilevel ports (MLPs) enable particular services on a port to accept requests within a range of labels or from a set of labels. These privileged services can reply at the label of the request. For example, you might want to create a privileged web browser port that can listen at all labels, but whose replies are restricted by label. By default, labeled zones have no MLPs.The range of labels or set of labels that constrains the packets that the MLP can accept is based on the zone's IP address. The IP address is assigned a remote host template in the tnrhdb database. The label range or set of labels in the remote host template constrains the packets that the MLP can accept.The constraints on MLPs for different IP address configurations are as follows: On a system where the global zone has an IP address and each labeled zone has a unique IP address, an MLP for a particular service can be added to every zone. For example, the system could be configured so that the ssh service, over TCP port 22, is an MLP in the global zone and in every labeled zone. In a typical configuration, the global zone is assigned one IP address and labeled zones share a second IP address with the global zone. When an MLP is added to a shared interface, the service packet is routed to the labeled zone where the MLP is defined. The packet is accepted only if the remote host template for the labeled zone includes the label of the packet. If the range is ADMIN_LOW to ADMIN_HIGH, then all packets are accepted. A narrower range would discard packets that are not within the range.At most, one zone can define a particular port to be an MLP on a shared interface. In the preceding scenario, where the ssh port is configured as a shared MLP in a non-global zone, no other zone can receive ssh connections on the shared address. However, the global zone could define the ssh port as a private MLP for receipt of connections on its zone-specific address. On a system where the global zone and the labeled zones share an IP address, an MLP for the ssh service could be added to one zone. If the MLP for ssh is added to the global zone, then no labeled zone can add an MLP for the ssh service. Similarly, if the MLP for the ssh service is added to a labeled zone, then the global zone cannot be configured with an ssh MLP. For an example of adding MLPs to labeled zones, see Example 19–16. Networks transmit broadcast messages and send ICMP packets to systems on the network. On a multilevel system, these transmissions could flood the system at every label. By default, the network policy for labeled zones requires that ICMP packets be received only at the matching label. In Trusted Extensions, MAC policy applies to all processes, including processes in the global zone. Processes in the global zone run at the label ADMIN_HIGH. When files from a global zone are shared, they are shared at the label ADMIN_LOW. Therefore, because MAC prevents a higher-labeled process from modifying a lower-level object, the global zone usually cannot write to an NFS-mounted system.However, in a limited number of cases, actions in a labeled zone can require that a global zone process modify a file in that zone.To enable a global zone process to mount a remote file system with read/write permissions, the mount must be under the zone path of the zone whose label corresponds to that of the remote file system. But it must not be mounted under that zone's root path.The mounting system must have a zone at the identical label as the remote file system. The system must mount the remote file system under the zone path of the identically labeled zone.The system must not mount the remote file system under the zone root path of the identically labeled zone Consider a zone that is named public at the label PUBLIC. The zone path is /zone/public/. All directories under the zone path are at the label PUBLIC, as in:/zone/public/dev /zone/public/etc /zone/public/home/username /zone/public/root /zone/public/usrOf the directories under the zone path, only files under /zone/public/root are visible from the public zone. All other directories and files at the label PUBLIC are accessible only from the global zone. The path /zone/public/root is the zone root path.From the perspective of the public zone administrator, the zone root path is visible as /. Similarly, the public zone administrator cannot access a user's home directory in the zone path, /zone/public/home/username directory. That directory is visible only from the global zone. The public zone mounts that directory in the zone root path as /home/username. From the perspective of the global zone, that mount is visible as /zone/public/root/home/username.The public zone administrator can modify /home/username. A global zone process, when files in a user's home directory need to be modified, does not use that path. The global zone uses the user's home directory in the zone path, /zone/public/home/username.Files and directories that are under the zone path, /zone/zonename/, but not under the zone root path, /zone/zonename/root directory, can be modified by a global zone process that runs at the label PUBLIC. Files and directories that are under the zone root path, /zone/public/root, can be modified by the labeled zone administrator. For example, when a user allocates a device in the public zone, a global zone process that runs at the label PUBLIC modifies the dev directory in the zone path, /zone/public/dev. Similarly, when a user saves a desktop configuration, the desktop configuration file is modified by a global zone process in the /zone/public/home/username. Finally, to share files from a labeled zone, the global zone administrator creates the configuration file, dfstab, in the zone path, /zone/public/etc/dfs/dfstab. A labeled zone administrator cannot access that file, and cannot share files from the labeled zone. To share a labeled directory, see How to Share Directories From a Labeled Zone. Some zone administration tasks can be performed from the command line. However, the simplest way to administer zones is to use the GUIs that Trusted Extensions provides:The configuration of zone security attributes is performed by using the Trusted Network Zones tool in the Solaris Management Console. For a description of the tool, see Trusted Network Zones Tool. For examples of zone configuration and creation, see Chapter 4, Configuring Trusted Extensions (Tasks) and How to Create a Multilevel Port for a Zone. administeringzones from Trusted JDSzonesadministering from Trusted JDSfiles/usr/sbin/txzonemgrscripts/usr/sbin/txzonemgr/usr/sbin/txzonemgr scriptThe shell script, /usr/sbin/txzonemgr, provides a menu-based wizard for creating, installing, initializing, and booting zones. If you are administering zones from Solaris Trusted Extensions (GNOME), use the txzonemgr script rather than Trusted CDE actions. txzonemgr uses the zenity command. For details, see the zenity1 man page. In Trusted CDE, the configuration and creation of zones can be performed by using actions in the Trusted_Extensions folder. For a description of the actions, see Trusted CDE Actions. For procedures that use the actions, see How to Start CDE Administrative Actions in Trusted Extensions. Managing Zones (Task Map) tasks and task mapsManaging Zones (Task Map) zonesadministering administeringzones The following task map describes zone management tasks that are specific to Trusted Extensions. The map also points to common procedures that are performed in Trusted Extensions just as they are performed on a Solaris system.Task Description For Instructions View all zones. At any label, views the zones that are dominated by the current zone. How to Display Ready or Running Zones View mounted directories. At any label, views the directories that are dominated by the current label. How to Display the Labels of Mounted Files Enable regular users to view an /etc file. Loopback mounts a directory or file from the global zone that is not visible by default in a labeled zone. How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone Prevent regular users from viewing a lower-level home directory from a higher label. By default, lower-level directories are visible from higher-level zones. When you disable the mounting of one lower-level zone, you disable all mounts of lower-level zones. How to Disable the Mounting of Lower-Level Files Configure a zone to enable the changing of the labels on files. Labeled zones have limited privileges. By default, labeled zones do not have the privilege that enables an authorized user to relabel a file. You modify the zone configuration to add the privilege. How to Enable Files to be Relabeled From a Labeled Zone Move a file or directory into or out of a labeled zone. Changes a file or directory's level of security by changing its label. How to Move Files Between Labels in Trusted CDE in Solaris Trusted Extensions User’s Guide Attach a ZFS dataset to a labeled zone and share it. Mounts a ZFS dataset with read/write permissions in a labeled zone and shares the dataset read-only with a higher zone. How to Share a ZFS Dataset From a Labeled Zone. Configure a new zone. Creates a zone at a label that is not currently being used to label a zone on this system. See Name and Label the Zone.Then, follow the procedure that the initial setup team used to create the other zones. For the steps, see Creating Labeled Zones. Create a multilevel port for an application. Multilevel ports are useful for programs that require a multilevel feed into a labeled zone. How to Configure a Multilevel Port for NFSv3 Over udpHow to Create a Multilevel Port for a Zone Troubleshoot NFS mount and access problems. Debugs general access issues for mounts and possibly for zones. How to Troubleshoot Mount Failures in Trusted Extensions Remove a labeled zone. Completely removes a labeled zone from the system. How to Remove a Non-Global Zone in System Administration Guide: Virtualization Using the Solaris Operating System zonesdisplaying statusdisplayingstatus of every zoneThis procedure creates a shell script that displays the labels of the current zone and all zones that the current zone dominates. You must be in the System Administrator role in the global zone. Use the trusted editor to create the getzonelabels script.For details, see How to Edit Administrative Files in Trusted Extensions.Provide the pathname to the script, such as /usr/local/scripts/getzonelabels. filesgetzonelabelsscriptsgetzonelabelsgetzonelabels script/usr/local/scripts/getzonelabels scriptAdd the following content, and save the file:#!/bin/sh # echo "NAME\t\tSTATUS\t\tLABEL" echo "====\t\t======\t\t=====" myzone=`zonename` for i in `/usr/sbin/zoneadm list -p` ; do zone=`echo $i | cut -d ":" -f2` status=`echo $i | cut -d ":" -f3` path=`echo $i | cut -d ":" -f4` if [ $zone != global ]; then if [ $myzone = global ]; then path=$path/root/tmp else path=$path/export/home fi fi label=`/usr/bin/getlabel -s $path |cut -d ":" -f2-9` if [ `echo $zone|wc -m` -lt 8 ]; then echo "$zone\t\t$status\t$label" else echo "$zone\t$status\t$label" fi done Test the script in the global zone.# getzonelabels NAME STATUS LABEL ==== ====== ===== global running ADMIN_HIGH needtoknow running CONFIDENTIAL : NEED TO KNOW restricted ready CONFIDENTIAL : RESTRICTED internal running CONFIDENTIAL : INTERNAL public running PUBLICWhen run from the global zone, the script displays the labels of all ready or running zones. Here is the global zone output for the zones that were created from the default label_encodings file: In the following example, a user runs the getzonelabels script in the internal zone.# getzonelabels NAME STATUS LABEL ==== ====== ===== internal running CONFIDENTIAL : INTERNAL public running PUBLIC filesaccessing from dominating labels This procedure creates a shell script that displays the mounted file systems of the current zone. When run from the global zone, the script displays the labels of all mounted file systems in every zone. You must be in the System Administrator role in the global zone. Use the trusted editor to create the getmounts script.For details, see How to Edit Administrative Files in Trusted Extensions.Provide the pathname to the script, such as /usr/local/scripts/getmounts. filesgetmountsscriptsgetmountsgetmounts script/usr/local/scripts/getmounts scriptAdd the following content and save the file:#!/bin/sh # for i in `/usr/sbin/mount -p | cut -d " " -f3` ; do /usr/bin/getlabel $i done Test the script in the global zone.# /usr/local/scripts/getmounts /: ADMIN_LOW /dev: ADMIN_LOW /kernel: ADMIN_LOW /lib: ADMIN_LOW /opt: ADMIN_LOW /platform: ADMIN_LOW /sbin: ADMIN_LOW /usr: ADMIN_LOW /var/tsol/doors: ADMIN_LOW /zone/needtoknow/export/home: CONFIDENTIAL : NEED TO KNOW /zone/internal/export/home: CONFIDENTIAL : INTERNAL USE ONLY /zone/restricted/export/home: CONFIDENTIAL : RESTRICTED /proc: ADMIN_LOW /system/contract: ADMIN_LOW /etc/svc/volatile: ADMIN_LOW /etc/mnttab: ADMIN_LOW /dev/fd: ADMIN_LOW /tmp: ADMIN_LOW /var/run: ADMIN_LOW /zone/public/export/home: PUBLIC /root: ADMIN_LOW displayinglabels of file systems in labeled zone labelsdisplaying labels of file systems in labeled zone zonesdisplaying labels of file systems When run from a labeled zone by a regular user, the getmounts script displays the labels of all the mounted file systems in that zone. On a system where zones are created for every label in the default label_encodings file, the following is the output from the restricted zone:# /usr/local/scripts/getmounts /: CONFIDENTIAL : RESTRICTED /dev: CONFIDENTIAL : RESTRICTED /kernel: ADMIN_LOW /lib: ADMIN_LOW /opt: ADMIN_LOW /platform: ADMIN_LOW /sbin: ADMIN_LOW /usr: ADMIN_LOW /var/tsol/doors: ADMIN_LOW /zone/needtoknow/export/home: CONFIDENTIAL : NEED TO KNOW /zone/internal/export/home: CONFIDENTIAL : INTERNAL USE ONLY /proc: CONFIDENTIAL : RESTRICTED /system/contract: CONFIDENTIAL : RESTRICTED /etc/svc/volatile: CONFIDENTIAL : RESTRICTED /etc/mnttab: CONFIDENTIAL : RESTRICTED /dev/fd: CONFIDENTIAL : RESTRICTED /tmp: CONFIDENTIAL : RESTRICTED /var/run: CONFIDENTIAL : RESTRICTED /zone/public/export/home: PUBLIC /home/gfaden: CONFIDENTIAL : RESTRICTED filesloopback mountingmountingfiles by loopback mountingThis procedure enables a user in a specified labeled zone to view files that are not exported from the global zone by default. You must be in the System Administrator role in the global zone. Halt the zone whose configuration you want to change.# zoneadm -z zone-name halt Loopback mount a file or directory.For example, enable ordinary users to view a file in the /etc directory.# zonecfg -z zone-name add filesystem set special=/etc/filename set directory=/etc/filename set type=lofs add options [ro,nodevices,nosetuid] end exitCertain files are not used by the system, so that loopback mounting them has no effect. For example, the /etc/dfs/dfstab file in a labeled zone is not checked by Trusted Extensions software. For more information, see Sharing Files From a Labeled Zone. Start the zone.# zoneadm -z zone-name boot In this example, the security administrator wants to enable testers and programmers to check that their local passwords are set. After the sandbox zone is halted, it is configured to loopback mount the passwd file. Then, the zone is restarted.# zoneadm -z sandbox halt # zonecfg -z sandbox add filesystem set special=/etc/passwd set directory=/etc/passwd set type=lofs add options [ro,nodevices,nosetuid] end exit # zoneadm -z sandbox boot restrictingaccess to lower-level files restrictingmounts of lower-level files filespreventing access from dominating labels protectingfiles at lower labels from being accessed net_mac_aware privilege By default, users can view lower-level files. Remove the net_mac_aware privilege to prevent the viewing of all lower-level files from a particular zone. For a description of the net_mac_aware privilege, see the privileges5 man page. You must be in the System Administrator role in the global zone. Halt the zone whose configuration you want to change.# zoneadm -z zone-name halt Configure the zone to prevent the viewing of lower-level files.Remove the net_mac_aware privilege from the zone.# zonecfg -z zone-name set limitpriv=default,!net_mac_aware exit Restart the zone.# zoneadm -z zone-name boot In this example, the security administrator wants to prevent users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,!net_mac_aware exit # zoneadm -z restricted boot# zoneadm -z needtoknow halt # zonecfg -z needtoknow set limitpriv=default,!net_mac_aware exit # zoneadm -z needtoknow boot# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,!net_mac_aware exit # zoneadm -z internal bootBecause PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone. datasetsZFS mountingZFS dataset on labeled zone ZFSadding dataset to labeled zone ZFSmounting dataset read-write on labeled zone sharingZFS dataset from labeled zone In this procedure, you mount a ZFS dataset with read/write permissions in a labeled zone. Because all commands are executed in the global zone, the global zone administrator controls the addition of ZFS datasets to labeled zones.At a minimum, the labeled zone must be in the ready state to share a dataset. The zone can be in the running state. To configure the zone with the dataset, you first halt the zone. Create the ZFS dataset.# zfs create datasetdir/subdirThe name of the dataset can include a directory, such as zone/data. In the global zone, halt the labeled zone.# zoneadm -z labeled-zone-name halt Set the mount point of the dataset.# zfs set mountpoint=legacy datasetdir/subdirSetting the ZFS mountpoint property sets the label of the mount point when the mount point corresponds to a labeled zone. Add the dataset to the zone as a file system.# zonecfg -z labeled-zone-name # zonecfg:labeled-zone-name> add fs # zonecfg:labeled-zone-name:dataset> set dir=/subdir # zonecfg:labeled-zone-name:dataset> set special=datasetdir/subdir # zonecfg:labeled-zone-name:dataset> set type=zfs # zonecfg:labeled-zone-name:dataset> end # zonecfg:labeled-zone-name> exitBy adding the dataset as a file system, the dataset is mounted at /data in the zone before the dfstab file is interpreted. This step ensures that the dataset is not mounted before the zone is booted. Specifically, the zone boots, the dataset is mounted, then the dfstab file is interpreted. Share the dataset.Add an entry for the dataset file system to the /zone/labeled-zone-name/etc/dfs/dfstab file. This entry also uses the /subdir pathname.share -F nfs -d "dataset-comment" /subdir Boot the labeled zone.# zoneadm -z labeled-zone-name bootWhen the zone is booted, the dataset is mounted automatically as a read/write mount point in the labeled-zone-name zone with the label of the labeled-zone-name zone. accessingZFS dataset mounted in lower-level zone from higher-level zone ZFSviewing mounted dataset read-only from higher-level zone In this example, the administrator adds a ZFS dataset to the needtoknow zone and shares the dataset. The dataset, zone/data, is currently assigned to the /mnt mount point. Users in the restricted zone can view the dataset.First, the administrator halts the zone.# zoneadm -z needtoknow haltBecause the dataset is currently assigned to a different mount point, the administrator removes the previous assignment, then sets the new mount point.# zfs set zoned=off zone/data # zfs set mountpoint=legacy zone/dataNext, in the zonecfg interactive interface, the administrator explicitly adds the dataset to the needtoknow zone.# zonecfg -z needtoknow # zonecfg:needtoknow> add fs # zonecfg:needtoknow:dataset> set dir=/data # zonecfg:needtoknow:dataset> set special=zone/data # zonecfg:needtoknow:dataset> set type=zfs # zonecfg:needtoknow:dataset> end # zonecfg:needtoknow> exitNext, the administrator modifies the /zone/needtoknow/etc/dfs/dfstab file to share the dataset, then boots the needtoknow zone.## Global zone dfstab file for needtoknow zone share -F nfs -d "App Data on ZFS" /data# zoneadm -z needtoknow bootThe dataset is now accessible.Users in the the restricted zone, which dominates the needtoknow zone, can view the mounted dataset by changing to the /data directory. They use the full path to the mounted dataset from the perspective of the global zone. In this example, machine1 is the host name of the system that includes the labeled zone. The administrator assigned this host name to a non-shared IP address.# cd /net/machine1/zone/needtoknow/root/data troubleshootingviewing ZFS dataset mounted in lower-level zoneIf the attempt to reach the dataset from the higher label returns the error not found or No such file or directory, the administrator must restart the automounter service by running the svcadm restart autofs command. filesrelabeling privilegesThis procedure is a prerequisite for a user to be able to relabel files. You must be in the Security Administrator role in the global zone. Halt the zone whose configuration you want to change.# zoneadm -z zone-name halt Configure the zone to enable relabeling.Add the appropriate privileges to the zone. The windows privileges enable users to use drag-and-drop and cut-and-paste operations.To enable downgrades, add the file_downgrade_sl privilege to the zone.# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,file_downgrade_sl exit To enable upgrades, add the sys_trans_label and file_upgrade_sl privileges to the zone.# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_upgrade_sl exit To enable both upgrades and downgrades, add all three privileges to the zone.# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_downgrade_sl, file_upgrade_sl exit Restart the zone.# zoneadm -z zone-name bootFor the user and process requirements that permit relabeling, see the setflabel3TSOL man page. To authorize a user to relabel files, see How to Enable a User to Change the Security Level of Data. In this example, the security administrator wants to enable authorized users on a system to upgrade files. By enabling users to upgrade information, the administrator enables them to protect the information at a higher level of security. In the global zone, the administrator runs the following zone administration commands.# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,sys_trans_label,file_upgrade_sl exit # zoneadm -z internal bootAuthorized users can now upgrade internal information to restricted from the internal zone. In this example, the security administrator wants to enable authorized users on a system to downgrade files. Because the administrator does not add windows privileges to the zone, authorized users cannot use the File Manager to relabel files. To relabel files, users use the setlabel command.By enabling users to downgrade information, the administrator permits users at a lower level of security to access the files. In the global zone, the administrator runs the following zone administration commands.# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,file_downgrade_sl exit # zoneadm -z restricted bootAuthorized users can now downgrade restricted information to internal or public from the restricted zone by using the setlabel command. Trusted Network Zones toolconfiguring a multilevel portzonescreating MLP for NFSv3multilevel ports (MLPs)example of NFSv3 MLPThis procedure is used to enable NFSv3 read-down mounts over udp. The Solaris Management Console is used to add the MLP. You must be in the Security Administrator role in the global zone. Start the Solaris Management Console.For details, see How to Administer the Local System With the Solaris Management Console. Choose the Files toolbox.The title of the toolbox includes Scope=Files, Policy=TSOL. Configure the zone and the MLP.Navigate to the Trusted Network Zones tool. Double-click the global zone. Add a multilevel port for the UDP protocol:Click Add for the Multilevel Ports for Zone's IP Addresses. Type 2049 for the port number, and click OK. Click OK to save the settings. Close the Solaris Management Console. Update the kernel.# tnctl -fz /etc/security/tsol/tnzonecfg Trusted Network Zones toolcreating a multilevel portzonescreating MLPmultilevel ports (MLPs)example of web proxy MLPThis procedure is used when an application that runs in a labeled zone requires a multilevel port (MLP) to communicate with the zone. In this procedure, a web proxy communicates with the zone. The Solaris Management Console is used to add the MLP. You must be in the Security Administrator role in the global zone. The labeled zone must exist. For details, see Creating Labeled Zones. Start the Solaris Management Console.For details, see How to Administer the Local System With the Solaris Management Console. Choose the Files toolbox.The title of the toolbox includes Scope=Files, Policy=TSOL. Add the proxy host and the webservices host to the list of computers.Under System Configuration, navigate to the Computers and Networks tool. In the Computers tool, click the Action menu and choose Add Computer. Add the host name and IP address for the proxy host. Save the changes. Add the host name and IP address for the webservice host. Save the changes. Configure the zone and the MLP.Navigate to the Trusted Network Zones tool. Select the labeled zone. In the MLP Configuration for Local IP Addresses section, specify the appropriate port/protocol field. Save the changes. For the zone, customize a template by completing the following steps:Navigate to the Security Templates tool.Click the Action menu and choose Add Template. Use the host name for the template name. Specify CIPSO for the Host Type. Use the label of the zone for the Minimum Label and for the Maximum Label. Assign the zone label to the Security Label Set. Select the Hosts Explicitly Assigned tab. In the Add an Entry section, add the IP address that is associated with the zone. Save the changes. Close the Solaris Management Console. Start the zones.# zoneadm -z zone-name boot In the global zone, add routes for the new addresses.For example, if the zones have a shared IP address, do the following:# route add proxy labeled-zones-IP-address # route add webservice labeled-zones-IP-address