How Labeled Files are Stored

In the Trusted Solaris environment, labels are automatically associated with all files and directories, and are stored as extended attributes of the file. These attributes are protected by privilege and mandatory controls.

In addition, special directories called multilevel directories (MLDs) allow files to be isolated by label in subdirectories called single-level directories (SLDs). SLDs are transparent to users and applications.

The purpose of MLDs is to enable applications that are running at different labels to write into what appears to be the same directory. For example, the /tmp directory is often used by multiple applications. For that reason, /tmp is an MLD. Applications are not aware that when they write a file into /tmp they are actually writing the file into the SLD within /tmp that has the label at which the application is running. If a single-level directory corresponding to the label does not yet exist, the Trusted Solaris environment creates one automatically.

New MLDs are built by creating a new folder in File Manager using the MLD option or at the command line using the -M option of the mkdir(1). The crontab(1) and at-job directories are shipped as MLDs so that you can set up batch jobs for a user that run at different labels. See the "Administering cron, at, and batch Jobs" section in Trusted Solaris Administrator's Procedures.

Home directories are MLDs so that accounts can create files and folders at different labels within their home directories. When user or role accounts change into their home directories, they do not need to be aware that they have actually changed into an SLD that is at the same label as their current workspace. For example, when setting up a new account for user janez, the Users tool creates the home directory /export/home/janez as an MLD. When the user janez changes to her home directory, she is automatically and transparently redirected to an SLD within her home directory MLD. The SLD has the same label as her current workspace, so if the workspace has a label of NEED_TO_KNOW, she changes into the SLD that has the NEED_TO_KNOW label.

To allow normal users to create their own MLDs, the administrator role must first create a new directory that is not an MLD and make it writable by normal users. For example, an administrator could create a directory called /myDir/doc mounted by and writable by all developers at a single label, so that design specifications and other project-wide documentation could be kept in one commonly accessible place. Anyone in the development group could then create a new directory within that directory and make it an MLD. If desired, the prefix can be changed from MLD using the mount(1M) command.

Multilevel directory names contain the hidden string .MLD., referred to as an adornment. The adornment is prefixed to the directory name but is not visible to standard UNIX commands.

Single-level directories are named .SLD.n where the number n represents the order in which the SLDs in the multilevel directory are created. Thus, the single-level directories are named .SLD.0, SLD.1, and so on. The implementation is transparent so that directory names with adornments are not displayed except through the special commands in the table below. A user with appropriate privileges can view the contents of a hidden directory outside of the current SLD by explicitly specifying the adornments to the path.

Table 1-6 Adornment-Related Commands

Command Name	Description
adornfc(1)	The adornfc command displays the specified directory path name with the final component adorned, that is, the strings .MLD. or .SLD. used to identify whether the directory is multilevel or single-level.
getfattrflag(1)	The -m option indicates whether the directory is an MLD.
getmldadorn(1)	The getmldadorn command displays the MLD adornment of the file system on which the specified path name resides.
getsldname(1)	The getsldname command displays the single-level directory name associated with the label of the current process within the multilevel directory referred to by path name.
mkdir(1)	When used with the -M option or when the directory name has the .MLD. adornment, creates a new MLD.
mldpwd(1)	The mldpwd command displays the path name of the current working directory, including any MLD adornments and SLD names.
mldrealpath(1)	The mldrealpath command displays the canonicalized absolute path name, including any MLD adornments and SLD names. It expands all symbolic links and resolves references to special characters (/. and /..) and translations in path names. The resulting path has no special characters, unadorned multilevel directories, or any hidden SLD names.
rm(1), rmdir(1)	The -M option when used with the -R option removes SLD subdirectories recursively.

The following figure illustrates the normal view of an SLD, depicting directories as ovals, files as rectangles, visible items with solid lines and bolding, and hidden items with dashed lines and normal font. In this case, the user is operating with a NEED_TO_KNOW Eng Mkt label and executes the ls command as shown on the left side of the figure. The user can view files with the Top Secret label only. The actual structure and contents of myHomeDir, which is a multilevel directory, are shown at the right of the figure.

Figure 1-4 Normal Viewing of a Directory

The following figure demonstrates how a user can view directory contents outside of the current SL. By typing ls /.MLD.myHomeDir/.SLD.*, the user sees all hidden directories in the multilevel directory, in this case, .SLD.0 which contains files with an SL of INTERNAL Eng and .SLD.1 which holds a TOP SECRET file.

Figure 1-5 Viewing the Contents of Multiple SLDs