Services started by inetd(1M) run with the label and clearance of the client. inetd also runs with other attributes of the client if the following are specified in inetd.conf(4):
If the uid field has the keyword CLIENT, the services start with the client's UID, GID, primary and any secondary groups.
If the wait-status field contains the setaudit flag, the services are started with the client's audit characteristics.
In addition:
If the wait-status field contains the trusted flag, the trusted path attribute is available to the service.
The Security Administrator can specify privileges and a label range by adding the service to the inetd rights profile and assigning the service the desired privileges and a label range.
If an entry in the inetd profile assigns privileges to the service, the service inherits the specified privileges.
If an entry in the inetd profile specifies minimum and maximum labels, inetd verifies that the label of the client is within the specified label range. If the label of the client is not the label range, the service is not executed.