Is there any way of setting up separate DNS configurations within different labelled zones on a Trusted Extensions system without losing the benefit of having shared /etc/shadow accounts between each zone?
The documentation provides a procedure under "Configure a Name Service Cache in Each Labeled Zone" to set up a separate instance in nscd in each zone, but if I follow this procedure I need to maintain separate user accounts in each zone. Even if I manually share /etc/shadow and /etc/passwd from the global zone to labeled zones, users are still prompted to enter their password for each workspace and I run into issues with "no utmpx entry" errors when users try to authenticate.
Solaris 11 Express had a procedure to prevent users from being prompted for a password when changing workspace labels, but this doesn't work in Solaris 11.1:
Having the global zone handle DNS resolution for the labelled zones, as per default behaviour is not an option as means exposing the global zone to external networks, and enables the use of DNS as an exceptionally convenient covert channel to exfiltrate data from a high label to external systems at a low label. Given how serious and obvious these security shortcomings are, I'm surprised that this is actually recommended.
There is only a single switch to determine whether all labeled zones share their name services with the global zone. Normally, when per-zone name services are enabled, authentication is required when changing workspace labels. However, it is still possible to configure PAM to bypass this authentication. The procedure described in Solaris 11 Express needs to be updated now that we manage PAM configuration in /etc/pam.d.
In each labeled zone in which you don't want authentication to occur do the following:
1. cd /etc/pam.d
2. cp other tsoljds-userlogin
3. comment out all the lines starting with "auth "
4. Add this line:
auth sufficient pam_allow.so.1
In this way, you can customize the authentication policy for each labeled zone. It is also possible to further customize the PAM authentication policy so that only specific users require authentication. For more information, see my blog posting:
[What's New in User Rights Management|https://blogs.oracle.com/gfaden/entry/what_s_new_in_user]