Acquiring CMW labels

Labels are acquired from workspaces and other processes. A user can start a process only at the current sensitivity label of the workspace in which he or she is working.

Process CMW Label

When a process is started from the workspace, the process CMW label inherits the sensitivity value of the workspace CMW label.

When a new process is created using fork(2), the new process inherits the CMW label values of its calling process.

When a new program is started with exec(1), the exec'ing process must have both discretionary and mandatory access to the new program's file.

The setcmwplabel(2) system call programmatically sets the process CMW label. You would use this call after forking or exec'ing a new process that should operate at another CMW label from the calling process. Privileges may be required. See "Privileged Operations".

Object CMW Label

When an object is created by a process, the object inherits the CMW label values of its calling process.

When a privileged process writes down to an object, the system changes the sensitivity label of the object to be the same as the sensitivity label of the process. This protects the information written from the process at the higher sensitivity label from being accessed by other processes running at lower sensitivity labels.

The setcmwlabel(2) system call programmatically sets the CMW label on a file system object.

The File Manager lets an authorized user change the sensitivity label on an existing file's CMW label.