| Skip Navigation Links | |
| Exit Print View | |
 | man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
| man pages section 1M: System Administration Commands Oracle Solaris 11 Information Library |
- configure trusted networking properties
tncfg [-ttemplate] [-e|-S [files|ldap]] [subcommand]
tncfg [-ttemplate] [-e|-S [files|ldap]]-fcommand_file
tncfg-zzone [-e] [subcommand]
tncfg-zzone [-e]-fcommand_file
tncfg help
Thetncfg utility creates, modifies, and displays the configuration of various networkingproperties related to Trusted Extensions. The command requires that the SMF service,svc:/system/labeld is enabled. It can be executed only in the global zone.
A template is a collection of network security properties that define therules for labeling packets received from remote hosts. Two host types aresupported:cipso andunlabeled. Each template must specify one of these twohost types. Hosts that are trusted to specify their own labels are assignedtocipso templates. Otherwise, hosts may be assigned tounlabeled templates, inwhich a single default label must be specified.
Hosts can be specified using hostnames, IP addresses, or masks. When masksare used, a prefix length that specifies how many bits are requiredfor a match must be appended . Hosts cannot be assigned tomore than one template. When masks are used, the entry with thelongest matching prefix is used to associate a host with a template. Packetsfrom hosts without a matching template are dropped.
Each template must include an upper and lower bound specifying the accreditationrange of accepted labels. Additionally, up to four auxiliary labels can bespecified to enumerate labels outside of this range. Services bound to multilevelports can accept packets from hosts whose labels are within the accreditation range,or match one of the auxiliary labels.
Normally, the template settings and their corresponding hosts are persistently maintained inlocal files or by means of an LDAP directory, depending on the-S option. These settings are automatically loaded into kernel memory when theuser commits the updates. If the-e (ephemeral) option is specified, only thecurrent in-memory properties are displayed and updated. However, the list of hostsassociated with an in-memory template is generally incomplete. To view the matchingtemplate for a specific host, use theget subcommand.
By default, an unlabeled template,admin_low, is installed with a default labelofADMIN_LOW, and two mask entries matching any IPv4 or IPv6 address,so that the global zone is initially able to contact anyunlabeledhosts. It is recommended to remove these two mask entries once your networksecurity policy is established. An additional template,cipso, is installed with nomatching hosts. By default all local IP addresses are implicitly associated withthis template, but it is recommended that they should be explicitly added tothis or a newcipso-type template.
Searches for template and host entries are resolved in the order specifiedby means of the name service configuration file,/etc/nsswitch.conf. The keywords,tnrhdbandtnrhtp, are used to specify the search order for hosts andtemplates, respectively. Both thefiles andldap repositories are supported, but it isrecommended to specifyfiles first.
Creating or modifying a template requires the authorizationsolaris.label.network.manage, which is includedin the Object Label Management rights profile.
Zones are isolated execution environments described inzones(5). Trusted Extensions requires azone brand calledlabeled to which special properties apply. Each labeled zone musthave a unique label property at which it executes processes. This isalso the label at which it will accept packets from remote hostsfor services bound to single-level ports. Explicit multilevel port can also bespecified. Services with the privilegenet_bindmlp can bind to these ports, andaccept packets within the accreditation range or the auxiliary label set associatedwith the remote host.
Non-global zones must be configured usingzonecfg(1M) prior to configuring these properties.In general, updates to each zone's properties, including the global zone, are appliedwhen it is booted. However, the multilevel port properties of running zonesare reloaded into kernel memory when updates are committed. If the-e(ephemeral) option is specified, the zone must be in the ready orrunning state, and only its multilevel port properties can be updated.
Creating or modifying a zone's trusted networking properties requires the authorizationsolaris.label.zone.manage,which is included in the Object Label Management rights profile.
The set of valid properties depends on whether the-t or-zoption was used. The two sets are referred to as the templatecontext and the zone context.
Only a single property value can be specified at a time. Valuescontaining white space must be quoted. An equal sign is required betweenthe property and its value.
The values that can be specified in the template context properties aredescribed below.
The initial value for the name is specified using-t option using the command line. If the name is changed, the current template properties are applied to the newly named template. In this way an existing template can be cloned for subsequent editing. However, to avoid conflicts, the host entries from the initial template are not copied to the new template. The specified name must not match an existing template.
When theunlabeled host type is used, the value specified using the thedef_label property is implicitly applied to the received packets. Thecipso host type is used for hosts that are trusted to explicitly label their packets. The default isunlabeled.
The default label assigned to IP packets that are not explicitly labeled by means ofcipso or IPsec.
A positive integer specifying the Domain of Interpretation for the binary representation of the labels. The default is1.
The minimum label in the accreditation range for IP packets that are accepted by multilevel services.
The maximum label in the accreditation range for IP packets that are accepted by multilevel services.
Additional labels, outside of the accreditation range, for IP packets that are accepted by multilevel services. Up to four labels may be specified, using theadd subcommand repetitively.
A hostname or an IP address to which the template properties apply. For IP addresses, both IPv4 and IPv6 formats can be used, followed by an optional slash and prefix length specifying the number of bits to match again IP addresses. The IPv4 address0.0.0.0 has an implied prefix length of zero, and matches any IPv4 address. Multiple host values can be specified, using theadd subcommand repetitively. There is no specific limit.
The values that may be specified in the zone context properties aredescribed below.
The name of the zone, which must have previously been configured usingzonecfg(1M). The initial value for the name is specified using-z option on the command line. If the name is changed, the current zone properties are applied to the newly named zone. In this way an existing template can be cloned for subsequent editing. However, to avoid conflicts, the initial label value is not copied to the new zone configuration. The specified name must correspond to an existing zone without a trusted networking configuration.
The sensitivity label of the zone. It must be unique for each zone. The global zone value must beadmin_low.
Specifies whether the zone responds to ping requests from hosts whose labels don't match the zone's label. The default isno.
A single port number, or a range of ports that privileged services can bind to and then accept requests from clients whose labels are with the accreditation range or the set of auxiliary labels specified in their matching templates. The port specification must be followed by a a protocol, eithertcp orudp. This value applies to all interfaces that are private to the zone. Multiplemlp_private values can be specified, using theadd subcommand repetitively. This is only limited by the number of available ports.
A single port number, or a range of ports that privileged services can bind to and then accept requests from clients whose labels are with the accreditation range or the set of auxiliary labels specified in their matching templates. The port specification must be followed by a protocol, eithertcp orudp. This value applies to anyall-zones interfaces, and must not overlap with themlp_shared ports specifications for other zones. Multiplemlp_shared values can be specified, using theadd subcommand repetitively. This is only limited by the number of available ports.
The following options are supported:
Specifies that the data is ephemeral, affecting only what is currently loaded into kernel memory.
Specifies the name oftncfg command file.command_file is a text file oftncfg subcommands, one per line.
Specifies the template name. If the named template does not exist, a new template is created. If neither-t nor-z is specified, the template context is assumed usingcipso as the default template name.
The valid repositories arefiles andldap. The repository specifies which name service will be updated. The default repository is files.
Specifies the zone name. The zone must have previously been configured by means ofzonecfg(1M).
Subcommands can be provided on the command line or interactively. Multiple subcommands,separated by semicolons, can be specified on the command line by enclosingthe entire set in quotation marks. The lack of subcommands implies aninteractive session, during which auto-completion of subcommands can be invoked using the tabkey.
The add, clear, and remove subcommands are used for properties that canaccept multiple values. However, only one value can be specified at atime.
Subcommands which can result in destructive actions or loss of work havean-F option to force the action. If input is from aterminal device, the user is prompted when appropriate if such a subcommandis given without the-F option. Otherwise, the action is disallowed, witha diagnostic message written to standard error.
The following subcommands are supported:
Adds the specified value to the current property values. This subcommand can only be applied to properties that accept multiple values. Use theset subcommand for single-value properties.
Clears all of the values for the property. Only those properties that accept multiple assignments, using theadd subcommand, can be cleared.
Commits the current configuration from memory to stable storage and into the kernel. The configuration must be committed for the changes to take effect. Until the in-memory configuration is committed, you can remove changes with therevert subcommand. The commit operation is attempted automatically upon completion of atncfg session. Since a configuration must be correct to be committed, this operation automatically does averify.
Deletes the specified template or zone configuration from the current name service.
Specify the-F option to force the action. If the deletion is allowed, its action is instantaneous and the session is terminated.
Displays configuration to standard output. Use the-f option to display the configuration tooutput-file. This option produces output in a form suitable for use in a command file.
Displays the template name corresponding to the specified host using the kernel's in-memory mapping.
Displays general help or help about a given topic.
Displays information about the current template or zone, or the specified property in a parseable format.
Lists the names of the templates or zones that have been configured.
Removes the specified value from the property. Only those properties that accept multiple assignments, using theadd subcommand, can be removed.
Sets a given property name to the given value. Properties that can take multiple values are assigned using theadd subcommand, instead ofset.
Verifies the current configuration for correctness:
The required properties are specified;
the values are valid for each key word;
the user is authorized to specify the values.
Causes the configuration to revert to the last committed state. The-F option can be used to force the action.
Exits thetncfg session. Acommit is automatically attempted if needed. You can also use an EOF character to exittncfg. The-F option can be used to force the action.
Example 1 Using theinfo Subcommand
The command below displays the properties of acipso template are displayed.The subcommand is specified on the command line.
example%tncfg -t cipso info name=cipso host_type=cipso doi=1 min_label=ADMIN_LOW max_label=ADMIN_LOW host=10.5.233.74
Example 2 Using theexport Subcommand
The following example shows an interactive session that exports the configuration ofa zone in a format the could be imported to another machinewith an equivalent zone.
example%tncfg -t publictncfg:public>exportset name=publicset host_type=unlabeledset doi=1set def_label="PUBLIC"set min_label="PUBLIC"set max_label="CONFIDENTIAL : NEED TO KNOW"add aux_label="SANDBOX PLAYGROUND"add host=myserver.oracle.comadd host=10.5.0.0/16tncfg:public>exit
Example 3 Assigning Properties to a Zone
In the following example, the public zone is configured to be amulti-level NFS server.
example%tncfg -z publictncfg:public>info name=public label=PUBLIC visible=notncfg:public>add mlp_private=111/tcptncfg:public>add mlp_private=111/ucptncfg:public>add mlp_private=2049/tcptncfg:public>committncfg:public>exit
Successful completion.
An error occurred.
/etc/security/tsol/tnrhtp
/etc/security/tsol/tnrhdb
/etc/security/tsol/tnzonecfg
Seeattributes(5) for descriptions of the following attributes:
|
The invocation and subcommands are committed. Output, except for theexport andinfo subcommands, is Not-an-Interface.
tnctl(1M),tnd(1M),tninfo(1M),txzonemgr(1M),zonecfg(1M),nsswitch.conf(4),attributes(5),labels(5),zones(5)
The Labeled Zone Manager,txzonemgr(1M), is an alternative application for configuring TrustedExtensions. It invokes thetncfg command internally, and provides an interactive GUI-based userinterface.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.Legal Notices |   |