You can apply a label to a ZFS dataset or mount a ZFS dataset with no label to a zone. The initially unlabeled ZFS dataset acquires the label of the mounting zone.
ZFS provides a security label attribute, mlslabel, that contains the label of the data in the dataset. The mlslabel property is inheritable. If the property is undefined, it defaults to the string none, which indicates no label.
When you mount a ZFS dataset in a labeled zone, the following occurs:
If the dataset is not labeled, the value of the mlslabel property is changed to the label of the mounting zone.
For the global zone, the mlslabel property is not set automatically. If you explicitly label the dataset admin_low, the dataset must be mounted read-only.
If the dataset is labeled, the kernel verifies that the dataset label matches the label of the mounting zone. If the labels do not match, the mount fails.
If read-down mounts are allowed in the zone, a lower-level dataset mounts read-only.
To set the mlslabel property from the command line, type something similar to the following:
# zfs set mlslabel=public export/publicinfo |
The file_upgrade_sl privilege is required to set an initial label or to change a non-default label to a higher-level label. The file_downgrade_sl privilege is required to remove a label, that is, to set the label to none. This privilege is also required to change a non-default label to a lower-level label. When a ZFS dataset has an explicit label, the dataset cannot be mounted on a Solaris system that is not configured with Trusted Extensions.