Maintaining Zone Labels as ZFS Attributes
By Glenn Faden-Oracle on Dec 09, 2008
In Trusted Extensions each zone has a unique sensitivity label which is maintained as an entry in the tnzonecfg database. Since ZFS is used to instantiate zones, each zone also has a unique dataset. When the zone is started by zoneadm, its dataset is mounted according to the pathname assigned to it when the zone was created. This mount point is maintained as a ZFS attribute of the dataset. The zone's label is associated with its mount point label, which is determined by comparing its pathname to the root pathname of the currently active zones. So there is no automatic facility to determine the label of the zone's dataset until the zone's attributes are loaded into the kernel by zoneadm.
However, we can implement a means to display the label, even when the zone is not active, by assigning the label value as a ZFS attribute. The convention for naming such attributes is to use a colon in its name, so I've named the attribute mls:label. In order to automatically assign labels to these datasets, you need to modify the txzonemgr shell script. There are three functions in this shell script, install(), clone(), and copy() where zone datasets are created. In each of these functions I added the following one line at the end of the function, after the corresponding zoneadm operation completes:
/usr/sbin/zfs set mls:label="$curlabel" \\ $ZDSET/$zonename
The value $curlabel contains the string that is assigned by the menu item Select Label , so it is necessary to perform that step before selecting Install, Clone, or Copy.
The value $ZDSET is automatically determined, and $zonename is set when you name your zone. If you are running OpenSolaris, or Solaris 10 update 6 (or newer) with ZFS as your root filesystem, then $ZDSET is rpool/zones. Otherwise it is simply zone.
Once your datasets are created, you can view all their labels and their corresponding mount points with this command:
zfs list -ro mountpoint,mls:label $ZDSET
In the above command, please substitute the appropriate value for $ZDSET. The -ro parameter specifies a recursive option, not read-only.
The output should look like this:
/zone/internal CONFIDENTIAL : INTERNAL USE ONLY
/zone/needtoknow CONFIDENTIAL : NEED TO KNOW
Note that these attributes can only be changed by a root process in the global zone, and are inaccessible from within the labeled zones.