Labels in the Global Zone

The global zone is assigned a range of labels. The range is from ADMIN_LOW to ADMIN_HIGH. ADMIN_HIGH and ADMIN_LOW are administrative labels.

Objects in the global zone that are shared with other zones are assigned the ADMIN_LOW label. For example, files in the /usr, /sbin, and /lib directories are assigned the ADMIN_LOW label. These directories and their contents are shared by all zones. These files and directories are typically installed from packages and are generally not modified, except during packaging or patching procedures. To modify ADMIN_LOW files, a process must typically be run by superuser or by someone who has all privileges.

Information that is private to the global zone is assigned the label ADMIN_HIGH. For example, all processes in the global zone and all administrative files in the /etc directory are assigned the ADMIN_HIGH label. Home directories that are associated with roles are assigned the ADMIN_HIGH label. Multilevel information that is associated with users is also assigned the ADMIN_HIGH label. See Multilevel Operations. Access to the global zone is restricted. Only system services and administrative roles can execute processes in the global zone.