When a process writes to a file with a higher sensitivity label or changes the CMW label of an object, the system checks that the file sensitivity label dominates the process sensitivity label and the process clearance dominates the file sensitivity label. If your application writes to files at different sensitivity labels, you might want to perform these checks in the code to catch errors or to turn privileges on in the effective set as needed.
This code performs the following tasks:
Retrieves the binary file CMW label, process CMW label, and process clearance.
Retrieves the sensitivity label portion of the file CMW label and process CMW label.
Checks for dominance by comparing the process sensitivity label to the file sensitivity label, and the process clearance to the file sensitivity label.
If the comparisons return 0 (process sensitivity label and clearance do not dominate the file sensitivity label), the operation to change the file CMW label or write up to the file requires privilege. See "Privileges and Authorizations" for information on privileges.
Chapter 4, Labels and Chapter 6, Process Clearance describe the programming interfaces for translating a binary label or clearance to text so they can be handled like a string.
#include <tsol/label.h> main() { int retval, retvalclearance, retvalsens; bclabel_t filecmwlabel, processcmwlabel; bslabel_t filesenslabel, processsenslabel; bclear_t processclearance; char *file = "/export/home/labelfile"; /* Get CMW label of file */ retval = getcmwlabel(file, &filecmwlabel); /* Get Process CMW label */ retval = getcmwplabel(&processcmwlabel); /* Get sensitivity label portion of CMW labels */ getcsl(&filesenslabel, &filecmwlabel); getcsl(&processsenslabel, &processcmwlabel); /* Get process clearance */ retval = getclearance(&processclearance); /* See if process label dominates file label (retvalclearance > 0) */ retvalclearance = bldominates(&processsenslabel, &filesenslabel); /* See if process clearance dominates file label (retvalsens > 0) */ retvalsens = bldominates(&processclearance, &filesenslabel); /* Test results */ if(retvalclearance && retvalsens > 0) { /* Change file CMW label or write-up to file */} else if (retvalclearance == 0) { /* Turn on error message or make appropriate privilege effective */} else if (retvalsens == 0) { /* Turn on error message or make appropriate privilege effective*/} }