For single-level datasets, the mount policy prevents any NFS or LOFS mounts that would violate MAC. For example, a zone's label must dominate all of its mounted file system labels, and only equally labeled file systems can be mounted with read-write permissions. Any shared file systems that belong to other zones or to NFS servers are mounted at the label of the owner.
The following summarizes the behavior of NFS-mounted single-level datasets:
In the global zone, all mounted files can be viewed, but only files that are labeled ADMIN_HIGH can be modified.
In a labeled zone, all mounted files that are equal to or lower than the label of the zone can be viewed, but only files at the label of the zone can be modified.
On an untrusted system, only file systems from a labeled zone whose label is the same as the untrusted system's assigned label can be viewed and modified.
For LOFS-mounted single-level datasets, the mounted files can be viewed. They are at the label ADMIN_LOW, so cannot be modified.