Directory Structure

The tmp directory and all home directories are automatically MLDs at ADMIN_LOW when set up for users in the User Manager by the system administrator. Additionally, mkdir(1) has an option for creating an MLD. Figure 7-1 shows the directory structure of Zelda's home directory where the MLD is ADMIN_LOW with three SLDs at Top Secret, Secret, and Confidential.

• An MLD cannot contain another MLD.

• An SLD cannot contain an MLD or an SLD.

• An SLD can contain regular UNIX directories and all types of files.

SLDs are created as needed during pathname lookup, and by the getsldname(2) and fgetsldname(2) system calls. The SLD sensitivity label is always a valid sensitivity label for the system.

Figure 7-1 Multilevel Directories

An application running at Secret dominates the ADMIN_LOW directory path /home/export/.MLD.zelda, dominates the SLDs at Secret and Confidential, but does not dominate the SLD at Top Secret. Without privilege and with discretionary access, a process running at Secret has the following access:

• Read, Write, and Create access to the Secret SLD.

• The ability to read down to the Confidential SLD using the fully adorned name /export/home/.MLD.zelda/.SLD.1. See "Adorned Names" and "Using Path Names with Adornments".

• The ability to write up to the Top Secret SLD using the fully adorned name /export/home/.MLD.zelda/.SLD.3 if the process clearance dominates the Top Secret SLD. See "Adorned Names" and "Using Path Names with Adornments".

A process running at Confidential would have access to the following files assuming the directory structure in Figure 7-1.

.login
conf_proj

A process running at Secret would have access to the following files assuming the directory structure in Figure 7-1.

.login
secret_proj1
secret_proj2

A process running at Top Secret would have access to the following files assuming the directory structure in Figure 7-1.

.login
ts_proj

Temporary Directory

Many applications create files in the /tmp directory. If /tmp is a regular UNIX directory at some sensitivity label, unprivileged processes running at other sensitivity labels cannot create files in /tmp. The Trusted Solaris environment makes /tmp an MLD so applications can create files in the SLD that corresponds to the sensitivity label of the process.

Symbolic Links

Symbolic links can be used in combination with MLDs. For example, a symbolic link whose target path name is in an MLD points to a different target file at each sensitivity label. Symbolic links in an SLD can point to a target path name in a regular directory to have a path name in an MLD refer to the same file when referenced at different sensitivity labels.