Global Zone Processes and Labeled Zones
In Trusted Extensions, MAC policy applies to all processes, including processes in the
global zone. Processes in the global zone run at the label ADMIN_HIGH.
When files from a global zone are shared, they are shared at the
label ADMIN_LOW. Therefore, because MAC prevents a higher-labeled process from modifying a lower-level
object, the global zone usually cannot write to an NFS-mounted system.
However, in a limited number of cases, actions in a labeled zone
can require that a global zone process modify a file in that zone.
To enable a global zone process to mount a remote file system
with read/write permissions, the mount must be under the zone path of the
zone whose label corresponds to that of the remote file system. But it
must not be mounted under that zone's root path.
The mounting system must have a zone at the identical label as the remote file system.
The system must mount the remote file system under the zone path of the identically labeled zone.
The system must not mount the remote file system under the zone root path of the identically labeled zone
Consider a zone that is named public at the label PUBLIC. The
zone path is /zone/public/. All directories under the zone path are at the label
PUBLIC, as in:
/zone/public/dev
/zone/public/etc
/zone/public/home/username
/zone/public/root
/zone/public/usr
Of the directories under the zone path, only files under /zone/public/root are
visible from the public zone. All other directories and files at the label
PUBLIC are accessible only from the global zone. The path /zone/public/root is the
zone root path.
From the perspective of the public zone administrator, the zone root path is
visible as /. Similarly, the public zone administrator cannot access a user's home
directory in the zone path, /zone/public/home/username directory. That directory is visible only from the
global zone. The public zone mounts that directory in the zone root path
as /home/username. From the perspective of the global zone, that mount is visible
as /zone/public/root/home/username.
The public zone administrator can modify /home/username. A global zone process, when
files in a user's home directory need to be modified, does not use
that path. The global zone uses the user's home directory in the zone
path, /zone/public/home/username.
Files and directories that are under the zone path, /zone/zonename/, but not under the zone root path, /zone/zonename/root directory, can be modified by a global zone process that runs at the label PUBLIC.
Files and directories that are under the zone root path, /zone/public/root, can be modified by the labeled zone administrator.
For example, when a user allocates a device in the public zone,
a global zone process that runs at the label PUBLIC modifies the dev directory
in the zone path, /zone/public/dev. Similarly, when a user saves a desktop configuration,
the desktop configuration file is modified by a global zone process in the
/zone/public/home/username. Finally, to share files from a labeled zone, the global zone administrator
creates the configuration file, dfstab, in the zone path, /zone/public/etc/dfs/dfstab. A labeled zone administrator
cannot access that file, and cannot share files from the labeled zone. To
share a labeled directory, see How to Share Directories From a Labeled Zone.