By Casper Dik-Oracle on Jul 07, 2015
In Solaris 11.2 we introduced the Immutable Global Zone. Just like the Immutable Zones introduced in Solaris 11/11, it supports three different file-mac-profiles: strict, fixed-configuration and flexible-configuration.
To refresh your memory, these three file-mac-profiles as well as the default value, "none", are described in zonecfg(1m) as follows:
There are currently four supported values for this property: none,
strict, fixed-configuration, and flexible-configuration.
none makes the zone exactly the same as a normal, r/w zone. strict
allows no exceptions to the read-only policy. fixed-configuration
allows the zone to write to files in and below /var, except direc-
tories containing configuration files:
flexible-configuration is equal to fixed-configuration, but allows
writing to files in /etc in addition.
In Solaris 11.3 we are adding fourth file-mac-profile: dynamic-zones. It should be seen as sitting between fixed-configuration and flexible-configuration.
This particular profile is only valid for the global zone; it allows the administrator to create and destroy non-global zones, kernel zones, etc.
While this is already possible with the flexible-configuration, that file-mac-profile allows the ability to change much of the system configuration; but with the other profiles, creating or destroying a zone requires using the Trusted Path. The dynamic-zones profile is a compromise: it allows to restrict the configuration of the system, yet it does allow a user with proper authorizations to create and destroy zones.
The dynamic-zones profile was targeted specifically at using an immutable global zone on the OpenStack Nova compute nodes.