How to Enable Files to be Relabeled From a Labeled Zone

This procedure is a prerequisite for a user to be able to relabel files.

Before You Begin

You must be in the Security Administrator role in the global zone.

1. Halt the zone whose configuration you want to change.

   # zoneadm -z zone-name halt

2. Configure the zone to enable relabeling.

   Add the appropriate privileges to the zone. The windows privileges enable users to use drag-and-drop and cut-and-paste operations.

   • To enable downgrades, add the file_downgrade_sl privilege to the zone.

     # zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,file_downgrade_sl exit

   • To enable upgrades, add the sys_trans_label and file_upgrade_sl privileges to the zone.

     # zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_upgrade_sl exit

   • To enable both upgrades and downgrades, add all three privileges to the zone.

     # zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_downgrade_sl, file_upgrade_sl exit

3. Restart the zone.

   # zoneadm -z zone-name boot

   For the user and process requirements that permit relabeling, see the setflabel(3TSOL) man page. To authorize a user to relabel files, see How to Enable a User to Change the Security Level of Data.

Example 16–6 Enabling Upgrades From the internal Zone

In this example, the security administrator wants to enable authorized users on a system to upgrade files. By enabling users to upgrade information, the administrator enables them to protect the information at a higher level of security. In the global zone, the administrator runs the following zone administration commands.

# zoneadm -z internal halt
# zonecfg -z internal
 set limitpriv=default,sys_trans_label,file_upgrade_sl
 exit
# zoneadm -z internal boot

Authorized users can now upgrade internal information to restricted from the internal zone.

Example 16–7 Enabling Downgrades From the restricted Zone

In this example, the security administrator wants to enable authorized users on a system to downgrade files. Because the administrator does not add windows privileges to the zone, authorized users cannot use the File Manager to relabel files. To relabel files, users use the setlabel command.

By enabling users to downgrade information, the administrator permits users at a lower level of security to access the files. In the global zone, the administrator runs the following zone administration commands.

# zoneadm -z restricted halt
# zonecfg -z restricted
 set limitpriv=default,file_downgrade_sl
 exit
# zoneadm -z restricted boot

Authorized users can now downgrade restricted information to internal or public from the restricted zone by using the setlabel command.