Glenn Faden's Blog

  • July 19, 2008

Running Trusted Extensions with opensolaris.2008.05

Guest Author

When the LiveCD for opensolaris was released last May there was no support for Trusted Extensions. We've made some progress, and I'm happy to report that I am posting this blog in a labeled zone running opensolaris. There are workarounds for the zone installation, X11 remote connections, and desktop login, which are all temporary until the underlying bugs are fixed.

This week the repository at http://pkg.opensolaris.org  was updated to contain packages based on Nevada build 93. This is being referred to as opensolaris.2008.11 since we are targeting the next release in November. There are posted directions for upgrading the pkg software for this build, and then doing a complete pkg image-update. I tried this, but I was not able to install any zones with the new pkg software. So I came up with my own procedure. Instead of doing a complete pkg image-update, start by installing the 2008.05 LiveCD.

Make sure that the entry for root in /etc/user_attr does NOT specify type=role.

Then do the following:

# pkg refresh --full
# pkg install SUNWts@0.5.11,5.11-0.93
# pkg install SUNWtsg SUNWxorg-tsol-module

# pkg install SUNWtgnome–tstripe SUNWtgnome–tsoljdsselmgr SUNWtgnome–tsoljdslabel SUNWtgnome–tsoljdsdevmgr SUNWtgnome–xagent
# pkg install SUNWgnome-file-mgr@0.5.11-0.93
# pkg install SUNWgnome-wm@0.5.11-0.93

This will get you the subset of updated and new packages required to run Trusted Extensions. Next you should download and install a set of files which specify a new labeled zone brand. Extract the tar file into /usr/lib/brand. The labeled brand needs to be specified in the default template, so edit the file /etc/zones/SUNWtsoldef.xml to specify that brand:

 <zone name="tsoldef" zonepath="" autoboot="true" brand="labeled" >

It is necessary to enable TCP connections to the X11 server. This must be specified for gdm and well as Xorg. To configure the gdm property, run the gdmsetup GUI. Select the Security tab, and uncheck the setting for Deny TCP connection to Xserver. Then run the following command:

# svccfg -s x11-server setprop options/tcp_listen=true 

There is another problem with argument passing between gdm and tsoljdslabel, which requires some fiddling. First do the following:

# cd /usr/bin

# mv tsoljdslabel tsoljdslabel.orig

Next create an executable shell script named tsoljdslabel with the following contents:

/usr/bin/tsoljdslabel.orig /etc/dt/config/Xinitrc.tjds

Now do the following:

# mkdir -p /etc/dt/config

# cp /usr/dt/config/Xinitrc.tjds /etc/dt/config

There is another problem where  Xlib misinterprets DISPLAY variables of the form hostname:0. Also, the path for users and roles is too restrictive. The workaround is to edit the file /etc/dt/config/Xinitrc.tjds as follows:

export DISPLAY=
export PATH=/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/X11/bin:/usr/dt/bin:/usr/sfw/bin
echo 'Starting gnome-session'
exec $command

The last workaround is to move the top panel to the bottom to prevent it from being obscured by the screenstripe. To do this, mouse over an empty area in the top panel, and use the right mouse button to bring up the Properties dialog. Change the orientation from Top to Bottom.

To enable Trusted Extensions, do the following:

# svccfg import /var/svc/manifest/system/labeld.xml

# svcadm enable -s labeld

# reboot

If you were very careful, you should be able to login as root. Do not specify a session type since you can only run a Trusted JDS session. Now create your zones using the txzonemgr. Since all filesystems are using zfs, you should not create a zpool for zones. A dataset for each zone will be created automatically.

Currently the Solaris Management Console is not included in the repository, so you will need to create users and roles with other commands. Once you get this working, you may want to install the NWAM configuration files I discussed in the previous posting, Updated Laptop Configuration Instructions.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.