Some Issues with Network Auto-Magic in OpenSolaris 2008.11

The instructions for Running Trusted Extensions in OpenSolaris 2008.11 don't include anything about configuring the network. I previously posted a blog entry Updated Laptop Configuration Instructions which is a bit out of date and confusing since Solaris 10, Nevada, and OpenSolaris are each a bit different. You can still follow these network instructions with OpenSolaris 2008.11, but use the new laptop instructions for the initial installation.

An improved NWAM version, 0.5, is included in this release, but there is an issue with launching the associated nwam-manager with Trusted Extensions. This program is supposed to be started via the launcher /etc/xdg/autostart/nwam-manager.desktop at login, but the TX session logic isn't doing this. As a workaround, add the following line to /usr/dt/config/Xinitrc.tjds, after the existing workaround to set the PATH environment at line 57:

/usr/lib/nwam-manager&

You can still use the NWAM scripts included in this tar file, but you will need to add an entry to /etc/security/tsol/tnrhdb to assign a label to each OpenSolaris repository. Assuming your repository is pkg.opensolaris.org,  you should do the following:

# tninfo -h pkg.opensolaris.org

IP address= 72.5.123.21

Template = public

If the entry is not already admin_low, do this:

# tnctl -h 72.5.123.21:admin_low

Then add the following line to the end of /etc/security/tsol/tnrhdb

72.5.123.21:admin_low

The nwam-manager will be automatically started on the next login, and the Package Manager, and txzonemgr should both be able to install packages from the repositories via the global zone. However, labeled zones cannot currently install their own packages. If you need to install additional packages in your zones, there a few workarounds:

Edit the file /usr/lib/brand/labeled/pkgcreatezone and add the extra packages to $pkglist variable , following this convention:

pkglist="$pkglist SUNWnfsc SUNWatfs"

or you can run the pkg(1) command by hand in the global zone, specifying the zone's root path with the -R option set to something like /zone/public/root. Currently, there is no way to specify the destination directory pathname using the Package Manager GUI.



Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks