2N/A<?
xml version="1.0"?>
2N/A The contents of this file are subject to the terms of the 2N/A Common Development and Distribution License (the "License"). 2N/A You may not use this file except in compliance with the License. 2N/A See the License for the specific language governing permissions 2N/A and limitations under the License. 2N/A When distributing Covered Code, include this CDDL HEADER in each 2N/A If applicable, add the following below this CDDL HEADER, with the 2N/A fields enclosed by brackets "[]" replaced with your own identifying 2N/A information: Portions Copyright [yyyy] [name of copyright owner] 2N/A Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A DO NOT EDIT THIS FILE. 2N/A<!
DOCTYPE brand PUBLIC "-//Sun Microsystems Inc//DTD Brands//EN" 2N/A<
brand name="labeled">
2N/A <!-- We may not be able to do the create in pkg(1) proper. --> 2N/A <
installopts>Ua:c:d:hm:psuv</
installopts>
2N/A <
postattach></
postattach>
2N/A <
postclone></
postclone>
2N/A <
postinstall></
postinstall>
2N/A <
privilege set="default" name="contract_event" />
2N/A <
privilege set="default" name="contract_identity" />
2N/A <
privilege set="default" name="contract_observer" />
2N/A <
privilege set="default" name="file_chown" />
2N/A <
privilege set="default" name="file_chown_self" />
2N/A <
privilege set="default" name="file_dac_execute" />
2N/A <
privilege set="default" name="file_dac_read" />
2N/A <
privilege set="default" name="file_dac_search" />
2N/A <
privilege set="default" name="file_dac_write" />
2N/A <
privilege set="default" name="file_owner" />
2N/A <
privilege set="default" name="file_setid" />
2N/A <
privilege set="default" name="ipc_dac_read" />
2N/A <
privilege set="default" name="ipc_dac_write" />
2N/A <
privilege set="default" name="ipc_owner" />
2N/A <
privilege set="default" name="net_bindmlp" />
2N/A <
privilege set="default" name="net_icmpaccess" />
2N/A <
privilege set="default" name="net_mac_aware" />
2N/A <
privilege set="default" name="net_observability" />
2N/A <
privilege set="default" name="net_privaddr" />
2N/A <
privilege set="default" name="net_rawaccess" ip-
type="exclusive" />
2N/A <
privilege set="default" name="proc_chroot" />
2N/A <
privilege set="default" name="sys_audit" />
2N/A <
privilege set="default" name="proc_audit" />
2N/A <
privilege set="default" name="proc_lock_memory" />
2N/A <
privilege set="default" name="proc_owner" />
2N/A <
privilege set="default" name="proc_setid" />
2N/A <
privilege set="default" name="proc_taskid" />
2N/A <
privilege set="default" name="sys_acct" />
2N/A <
privilege set="default" name="sys_admin" />
2N/A <
privilege set="default" name="sys_ip_config" ip-
type="exclusive" />
2N/A <
privilege set="default" name="sys_iptun_config" ip-
type="exclusive" />
2N/A <
privilege set="default" name="sys_flow_config" ip-
type="exclusive" />
2N/A <
privilege set="default" name="sys_mount" />
2N/A <
privilege set="default" name="sys_nfs" />
2N/A <
privilege set="default" name="sys_resource" />
2N/A <
privilege set="default" name="sys_ppp_config" ip-
type="exclusive" />
2N/A <
privilege set="default" name="sys_share" />
2N/A <
privilege set="prohibited" name="dtrace_kernel" />
2N/A <
privilege set="prohibited" name="proc_zone" />
2N/A <
privilege set="prohibited" name="sys_config" />
2N/A <
privilege set="prohibited" name="sys_devices" />
2N/A <
privilege set="prohibited" name="sys_ip_config" ip-
type="shared" />
2N/A <
privilege set="prohibited" name="sys_linkdir" />
2N/A <
privilege set="prohibited" name="sys_net_config" />
2N/A <
privilege set="prohibited" name="sys_res_config" />
2N/A <
privilege set="prohibited" name="sys_suser_compat" />
2N/A <
privilege set="prohibited" name="sys_ppp_config" ip-
type="shared" />
2N/A <
privilege set="required" name="proc_exec" />
2N/A <
privilege set="required" name="proc_fork" />
2N/A <
privilege set="required" name="sys_ip_config" ip-
type="exclusive" />
2N/A <
privilege set="required" name="sys_mount" />
2N/A The file-mac-profile definitions 2N/A - packages can't be installed. 2N/A No modification of stable storage. Reboot and it comes 2N/A back as it was when it was first installed. This profile 2N/A comes with the best security guarantee. 2N/A - SMF services persistently enabled are fixed 2N/A - SMF manifests can't be added from the default locations 2N/A only be logged remotely. 2N/A Attempt to prevent privilege escalation via 2N/A introduction of new binaries and changes to core OS 2N/A a fixed configuration. 2N/A - SMF manifests can't be added from the default locations 2N/A - SMF services persistently enabled are fixed 2N/A configuration are fixed 2N/A flexible-configuration 2N/A Attempt to prevent privilege escalation via 2N/A introduction of new binaries, while allowing 2N/A configuration to be changed and local 2N/A than binaries and libraries cannot be modified. 2N/A - S11 closest equivalent to S10 sparse root zones 2N/A - SMF policy can be changed boot to boot the as repository 2N/A NOTE: These profiles are currently exactly the same in 2N/A the solaris brand; make sure that if you change these that 2N/A you also update the solaris brand. 2N/A <
file-
mac-
profile name="strict"/>
2N/A <
file-
mac-
profile name="fixed-configuration">
2N/A <
writable-
path path="/var/*"/>
2N/A <
file-
mac-
profile name="flexible-configuration">
2N/A <
writable-
path path="/etc/*"/>
2N/A <
writable-
path path="/var/*"/>
2N/A <
writable-
path path="/root/*"/>