Labels appear on the desktop and on output that is executed on the desktop, such as printer output.
Applications – Applications start processes. These processes run at the label of the workspace where the application is started. An application in a labeled zone, as a file, is labeled at the label of the zone.
Devices – Data flowing through devices is controlled through device allocation and device label ranges. To use a device, users must be within the label range of the device, and be authorized to allocate the device.
File system mount points – Every mount point has a label. The label is viewable by using the getlabel command.
IPsec and IKE – IPsec security associations and IKE rules have labels.
Network interfaces – IP addresses (hosts) have templates that describe their label range. Unlabeled hosts also have a default label.
Printers and printing – Printers have label ranges. Labels are printed on body pages. Labels, handling information, and other security information is printed on the banner and trailer pages. To configure printing in Trusted Extensions, see Chapter 21, Managing Labeled Printing (Tasks) and Labels on Printed Output in Solaris Trusted Extensions Label Administration.
Processes – Processes are labeled. Processes run at the label of the workspace where the process originates. The label of a process is visible by using the plabel command.
Users – Users are assigned a default label and a label range. The label of the user's workspace indicates the label of the user's processes.
Windows – Labels are visible at the top of desktop windows. The label of the desktop is also indicated by color. The color appears on the desktop switch and above window title bars.
When a window is moved to a differently labeled workspace, the window maintains its original label.
Zones – Every zone has a unique label. The files and directories that are owned by a zone are at the zone's label. For more information, see the getzonepath(1) man page.