Lower-level directories can be made visible to users in a higher-level zone. The NFS server for the lower-level directories can be a Trusted Extensions system or an untrusted system.
The trusted system requires server configuration. The untrusted system requires client configuration.
NFS server configuration on a trusted system – To make lower-level directories from a trusted system visible in a labeled zone, you must configure the server.
In the global zone on the NFS server, you must configure the NFS service as a multilevel service.
From the global zone, you must add the net_bindmlp privilege to the limitpriv privilege set of the labeled zone.
In the labeled zone, you export the ZFS file system by setting its share properties. When the status of the labeled zone is running, the file system is shared at the label of the zone. For the procedure, see How to Share File Systems From a Labeled Zone.
NFS client configuration for an untrusted NFS server – Because the server is not trusted, the NFS client must be trusted. The net_mac_aware privilege must be specified in the zone configuration file that is used during initial zone configuration. So, a user who is permitted to view all lower-level home directories must have the net_mac_aware privilege in every zone, except the lowest zone. For an example, see How to NFS Mount Files in a Labeled Zone.