What is the impact of making this specific change?

After installing and customizing an Oracle Solaris 11 non-global (solaris brand) zone, you execute
commands:
# zonecfg –z myzone ‘set file-mac-profile=fixed-configuration’
# zoneadm –z myzone reboot
What is the impact of making this specific change?

After installing and customizing an Oracle Solaris 11 non-global (solaris brand) zone, you execute
commands:
# zonecfg –z myzone ‘set file-mac-profile=fixed-configuration’
# zoneadm –z myzone reboot
What is the impact of making this specific change?

A.
Thischange prevents MAC address spoofing by requiring outbound network packets to have
apredefined value.

B.
This enables supportwithin the zone for Mac OS Xextended file attributes for the zone root file
system.

C.
This change restricts user access to objects in the zone based upon their Oracle Solaris
Trusted Extensionlabels.

D.
This change prevents the zone from being able to mount any remote file systems oncethe
zonehas boon booted.

E.
This change forcesthe zone root file system into a read-only state where only parts of/var are
writable.

Explanation:
Through the zonecfg utility, the file-mac-profile can be set to one of the following
values (see note below). All of the profiles except none will cause the /var/pkg directory and its
contents to be read-only from inside the zone.
*none
Standard, read-write, non-global zone, with no additional protection beyond the existing zones
boundaries. Setting the value to none is equivalent to not setting file-mac-profile property.
* strict
*fixed-configuration
Permits updates to /var/* directories, with the exception of directories that contain system
configuration components.
IPS packages, including new packages, cannot be installed.
Persistently enabled SMF services are fixed.

SMF manifests cannot be added from the default locations.
Logging and auditing configuration files can be local. syslog and audit configuration are fixed.
* flexible-configuration
Note:
zonecfg file-mac-profile Property
By default, the zonecfg file-mac-profile property is not set in a non-global zone. A zone is
configured to have a writable root dataset.
In a solaris read-only zone, the file-mac-profile property is used to configure a read-only zone root.
A read—only root restricts access to the runtime environment from inside the zone.
Reference:Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and
Resource Management

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *