Glenn Faden's Blog

  • December 9, 2008

Maintaining Zone Labels as ZFS Attributes

Guest Author

In Trusted Extensions each zone has a unique sensitivity label which is maintained as an entry in the tnzonecfg database. Since ZFS is used to instantiate zones, each zone also has a unique dataset. When the zone is started by  zoneadm, its dataset is mounted according to the pathname assigned to it when the zone was created.  This mount point is maintained as a ZFS attribute of the dataset. The zone's label is associated with its mount point label, which is determined by comparing its pathname to the root pathname of the currently active zones. So there is no automatic facility to determine the label of the zone's dataset until the zone's attributes are loaded into the kernel by zoneadm.

However, we can implement a means to display the label, even when the zone is not active, by assigning the label value as a ZFS attribute. The convention for naming such attributes is to use a colon in its name, so I've named the attribute mlslabel. In order to automatically assign labels to these datasets, you need to modify the txzonemgr shell script. There are three functions in this shell script, install(), clone(), and copy() where zone datasets are created. In each of these functions I added the following one line at the end of the function, after the corresponding zoneadm operation completes:

 /usr/sbin/zfs set mlslabel="$curlabel" \\ $ZDSET/$zonename

The value $curlabel contains the string that is assigned by the menu item Select Label , so it is necessary to perform that step before selecting Install, Clone, or Copy.

The value $ZDSET is automatically determined, and $zonename is set when you name your zone. If you are running OpenSolaris, or Solaris 10 update 6 (or newer) with ZFS as your root filesystem, then $ZDSET is rpool/zones. Otherwise it is simply zone.

Once your datasets are created, you can view all their labels and their corresponding mount points with this command:

zfs list -ro mountpoint,mlslabel $ZDSET

In the above command, please substitute the appropriate value for $ZDSET. The -ro parameter specifies a recursive option, not read-only.

The output should look like this:


/zone                ADMIN_HIGH

/zone/public         PUBLIC


/zone/needtoknow     CONFIDENTIAL : NEED TO KNOW

Note that these attributes can only be changed by a root process in the global zone, and are inaccessible from within the labeled zones.

Join the discussion

Comments ( 1 )
  • Christoph Schuba Thursday, December 11, 2008

    Thanks for posting this, Glenn. Excellent contribution. The question how to do this just came up at the Virtualization Security workshop at the 24th Annucal Computer Security Applications Conference here in Anaheim, CA, when I presented MLS in the context of Solaris and OpenSolaris. Very timely.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.