Mounting files in the global zone is identical to mounting files in Oracle Solaris, subject to MAC policy. Files that are shared from the global zone are shared at the label of the file. Therefore, file systems from a global zone are not usefully shared with the global zones of other Trusted Extensions systems, because all files are shared at the label ADMIN_LOW. The files that the global zone usefully shares with other systems are multilevel datasets.
Files and directories in a single-level dataset that are shared over LOFS from the global zone are shared at ADMIN_LOW. For example, the /etc/passwd and /etc/shadow files from the global zone can be LOFS mounted in the labeled zones on the system. Because the files are ADMIN_LOW, they are visible and read-only in the labeled zones. Files and directories in multilevel datasets are shared at the label of the object.
The global zone can also share multilevel datasets over NFS. A client can request to mount the dataset when the NFS service is configured to use multilevel ports. The request succeeds when the client label is within the label range that is specified in the cipso template for the network interface that handles the client's NFS mount request.
Specifically, the behavior of global zones and mounted files is the following:
In the global zone on Trusted Extensions clients, everything in the share is readable, and the clients can write at ADMIN_HIGH, just as the local global zone processes can.
When the client is a labeled zone, the mounted files are read-write when the label of the zone matches the label of the shared file.
When the client is an unlabeled system, the mounted files are read-write when the assigned label of the client matches the label of the shared file.
To share multilevel datasets with labeled zones on the same system, the global zone can use LOFS.
For more information about the viewing and relabeling of files on an NFS mount, see Mounting Multilevel Datasets From Another System.