For multilevel datasets, the MAC read and write policies are enforced at the granularity of files and directories rather than at the granularity of the file system.
Multilevel datasets can only be mounted in the global zone. Labeled zones can only access multilevel datasets by using LOFS mount points that you specify with the zonecfg command. For the procedure, see How to Create and Share a Multilevel Dataset. Appropriately privileged processes in the global zone or labeled zones can relabel files and directories. For relabeling examples, see Trusted Extensions User’s Guide .
In the global zone, all files in the multilevel dataset can be viewed. Mounted files that are labeled ADMIN_HIGH can be modified.
In a labeled zone, the multilevel dataset is mounted over LOFS. Mounted files at the same label or a lower level as the zone can be viewed. Mounted files at the same label as the zone can be modified.
Multilevel datasets can also be shared from the global zone over NFS. Remote clients can view files that are dominated by their network label, and modify files with equal labels. However, relabeling is not possible on an NFS-mounted multilevel dataset. For information about NFS mounts, see Mounting Multilevel Datasets From Another System.
For more information, see Multilevel Datasets for Relabeling Files.