Towards Running Trusted Extension with OpenSolaris 2008.11
By user9159837 on Sep 16, 2008
This blog entry is related to the one that Glenn Faden published recently, entitled "Running Trusted Extensions with opensolaris.2008.05". I updated Glenn's posting to describe how to get Trusted Extensions running on the OpenSolaris 2008.11 distribution. The release 2008.11 is scheduled for November this year, hence the name...
Now, since that's not actually out yet, I am starting with the OpenSolaris 2008.05 distribution and am moving to the OpenSolaris development build 97. I will update this blog as newer builds integrate some of the work-arounds described below, to keep the instructions minimal and as simple as possible. Whenever I know the build number for which the fix is expected, I will add them to the text below.
I started with the Live CD of OpenSolaris 2008.05 and installed it on a Sony Vaio laptop, vanilla model VGN-SZ645P4, upgraded to 4GB of RAM.
I also repeated the following instructions inside of Sun's type-2 hypervisor xVM VirtualBox, i.e., not directly on the hardware. I used the slightly updated respin of OpenSolaris 2008.05 BTS (Back to School) Edition rather than vanilla OpenSolaris 2008.05. I am happy to report that everything works as expected. Soooo, since that combination worked, chance are the other two, simpler combinations (2008.05 inside vbox or 2005.05.BTS on the hardware) are going to work, too. Please let me know if you succeed.
Step 0: Install OpenSolaris 2008.05 from the live CD.
The installation process let's you create a user account that by default has the authorization to assume the root role. By default, in OpenSolaris there is no longer a root account, only a root role! If you are not familiar with role-based access control (RBAC) in (Open)Solaris, you can read up on it at on the OpenSolaris RBAC pages. You can also safely proceed with the instructions below. They contain what you need to know.
Step 1: Upgrade to OpenSolaris development build 97.
Log in as the user, open a terminal, then upgrade to build 97 using the following instructions. You cannot directly use the pkg image-update command before build 93. Refer to the announcement for details, if you are interested. Here are the instructions how to upgrade your system from build 86 (OpenSolaris 2008.05) to build 97.
$ pfexec pkg refresh $ pfexec pkg install SUNWipkg@0.5.11-0.86 $ pfexec pkg install firstname.lastname@example.org
If you are using the Back to School editon of 2008.05, the second command may come back reporting that there is nothing to install. That's OK - the 2008.05 respin contains slightly newer build 86 packages.
The next step is to choose the name of a new BE. Let's call it opensolaris-97tx.
Execute the following sequence of commands to create, mount and update the new BE
$ pfexec beadm create opensolaris-97tx $ mkdir /tmp/mnt$$ $ pfexec beadm mount opensolaris-97tx /tmp/mnt$$ $ pfexec pkg -R /tmp/mnt$$ image-update
Because we are running build 86, the following step is required as a work-around for a known libbe bug (based on OpenSolaris Bug# 1979 libbe: be_activate needs to run installgrub.)
Due to changes in the GRUB boot system, one must manually update the Master Boot Record (MBR) to include these latest changes. Failure to follow these instructions when updating from 2008.05 (build 86) to a later build will result in a system that does not boot by default and instead the original BE must be manually selected. Update the GRUB configuration on your ZFS boot device(s) using
$ pfexec /tmp/mnt$$/boot/solaris/bin/update_grub -R /tmp/mnt$$Unmount and activate the newly created BE
$ pfexec beadm unmount opensolaris-97tx $ pfexec beadm activate opensolaris-97txAt this point, you can boot into the updated BE using reboot(1M) or init(1M) as usual.
Step 2: Change root role to be an account rather than a role.
Next, once the machine has booted into the boot environment solaris-1, log in as a user and make sure the root entry in /etc/user_attr does NOT contain type=role.
Since you are logged in as a user, you will have to assume the root role using su root or will have to run your editor inside a profile shell using e.g., pfexec vi /etc/user_attr . The relevant entry in my /etc/user_attr looks like this:
Then log out and log in as user root.
Step 3: Install the missing Trusted Extensions packages.
Install the missing packages as follows: The instructions below show how to do this interactively in a root shell; you could also use the GUI-based package manager that's accessible via System-Administration->Package Manager.
In my environment, the individual shell-based pkg install commands did occasionally time out. Just retrying succeeded in all instances.
# pkg install SUNWts SUNWtsg SUNWxorg-tsol-module SUNWtgnome–tstripe \\ SUNWtgnome–tsoljdsselmgr SUNWtgnome–tsoljdslabel \\ SUNWtgnome–tsoljdsdevmgr SUNWtgnome–xagent # pkg install SUNWgnomeemail@example.com SUNWgnomefirstname.lastname@example.org
Now you have the updated and new packages that are required to run Trusted Extensions.
Step 4: Configure labeled zones as label-branded zones.
Next, I installed the files that Glenn posted that specify a new labeled zone brand. Download the file labeled_brand.tar into e.g., your local /tmp. then extract the file into usr/lib/brand:
# (cd /tmp; wget http://blogs.sun.com/gfaden/resource/labeled_brand.tar) # (cd /usr/lib/brand; tar -xvf /tmp/labeled_brand.tar)
To specify the labeled brand in the default template, modify the <zone> tag in /etc/zones/SUNWtsoldef.xml to read:
<zone name="tsoldef" zonepath="" autoboot="true" brand="labeled">
Step 5: Enable TCP connections to the X11 server for both gdm and Xorg
(fix expected in build 99)
Configure the gdm property by starting the gdmsetup GUI. Select the Security tab, uncheck the setting for Deny TCP connection to Xserver, then close the GUI. Finally, run the following SMF command to set the Xorg property:
# svccfg -s x11-server setprop options/tcp_listen=true
Step 6: Add workaround for missing domain socket support.
(fix expected in build 99)
Next, you need to fix a problem with argument passing between gdm and tsoljdslabel as follows:
# mkdir -p /etc/dt/config # cp /usr/dt/config/Xinitrc.tjds /etc/dt/config # mv /usr/bin/tsoljdslabel /usr/bin/tsoljdslabel.orig
# cat > /usr/bin/tsoljdslabel<<EOF #!/bin/sh /usr/bin/tsoljdslabel.orig /etc/dt/config/Xinitrc.tjds EOF
# chmod 0755 /usr/bin/tsoljdslabel
There is another problem where Xlib misinterprets DISPLAY variables of the form hostname:0. Also, the path for users and roles is too restrictive. The work-around is to insert the following two export statements into the file /etc/dt/config/Xinitrc.tjds, towards the bottom, as follows. Note that the new PATH assignment is there purely for convenience reasons...
export DISPLAY=127.0.0.1:0 export PATH=/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/X11/bin:\\ /usr/dt/bin:/usr/sfw/bin echo 'Starting gnome-session' exec $command
Step 7: Rearrange window manager panels
The final workaround is to move the top panel to the bottom to prevent it from being obscured by the trusted strip. To do this, move the mouse over an empty area in the top panel, and use the right mouse button to bring up the Properties dialog. Change the orientation from Top to Bottom.
Once you enable Trusted Extensions and you still need to move the gnome panel you can do this my editing the file
Find the xml tag <orientation> and change the associated sub tag <stringvalue> from top to bottom. It takes effect after a restart of gnome. To avoid having to do this editing for your user, log out as root, log in under your user account id, change the location of the gnome panel, then re-log back in as root for the next step.
Step 7: Enable Solaris Trusted Extensions
To enable Trusted Extensions, do the following. Note that the -s flag in svcadm is very important. It forces the SMF actions to execute synchronously, i.e., it forces them to complete before svcadm returns. If you forgot the -s option and rebooted the system too soon, you could end up with a partially configured Trusted Extensions system that would likely hang on the next boot.
# svccfg import /var/svc/manifest/system/labeld.xml # svcadm enable -s labeld # reboot
Step 8: Configure and install TX labeled zones
Once the system come back up, it will boot your new solaris-97tx boot environment. You can now log into the Trusted Gnome desktop as root. Do not specify another session type.
Next, create your zones using the Trusted Extensions zone manager txzonemgr.
Because all filesystems are using ZFS, there is no need to create a zpool for zones. A dataset for each zone will be created automatically.
Start the txzonemgr on the command line and first of all share your network interface among the future zones, selecting "Manage Network Interfaces...", followed by selecting your main network interface, and clicking on "Share".
Next, follow the procedures below to create a total of four non-global zones.
Zonename - Label ------------------------------------------------- public - PUBLIC internal - CONFIDENTIAL: INTERNAL USE ONLY needtoknow - CONFIDENTIAL: NEED TO KNOW restricted - CONFIDENTIAL: RESTRICTED
Create the first zone, called public with label PUBLIC:
- Select "Create a new zone..." and "Enter Zone Name" public.
- Select "Select Label..." and choose label PUBLIC from the list.
- Select "Install...". A window will pop up that informs you of the zone installation progress.
- Confirm the hostname for the system.
- Select "Zone Console..." which pops up a window with the zone console.
- Select "Boot..." and go through the configuration screens for the newly created zone. I usually choose the defaults. If you see a warning about a failed attempt to write to a read-only file system, ignore it.
- Select "Halt..." to halt the zone.
- Select "Create Snapshot", because we want to create the remaining zones as ZFS clones of the first zone.
- Select "Boot".
- Select "Return to Main Menu".
The procedure for creating the subsequent zones is
- Select "Create a new zone..." and "Enter Zone Name" internal.
- Select "Select Label..." and choose label CONFIDENTIAL:INTERNAL USE ONLY from the list.
- Select "Clone" and select the snapshot rpool/zones/internal@snapshot.
- Select "Boot".
Repeat this second procedure until you have all four zones running.
Step 9: Fix user account home directory entry
The home diretory entry in the /etc/passwd file in the global zone needs to be changed to work properly under Trusted Extensions. If your user account is listed as /export/home/foobar, change it to /home/foobar.
Step 10. Work-around for single XSETTINGS manager in the global zone
(integration expected in build 99)
Add to the end of file
gtk-icon-theme-name = "nimbus"
You should now be able to log into your system as a user, assign different labels to the different workspaces, and use your newly configured MLS workspace. Please send us your feedback!