[fmac-discuss] Zone-specific policies
Glenn Faden
Glenn.Faden at Sun.COM
Mon Jun 23 16:07:49 PDT 2008
Alan DuBoff wrote:
> On Fri, 20 Jun 2008, Glenn Faden wrote:
>
> Could you elaborate on the "different purpose", possibly giving an
> example?
>
>
You might have a zone for software developers to do debugging, and
another zone which acts as a web server. If these are sparse zones then
the files in the lofs mounted file systems would have to have the same
security contexts stored in their extended attributes, but we might want
to allow the prstat(1) program in the developer zone to be able to
observe everything, but only show processes with the web-related types
in the web-server zone.
If the two zones are whole-root zones, then their instances of prtsat(1)
would actually have separate pathnames, and could potentially have
different security contexts stored in their respective extended attributes.
This brings up the issue of specifying pathnames in the various policy
files. When and how would the file systems in zones get their security
contexts applied? I think this would have to be done for each zone when
it is initially booted, and potentially verified on each zone reboot.
--Glenn
More information about the fmac-discuss
mailing list