This procedure is a prerequisite for a user to be able to relabel files.
You must be in the Security Administrator role in the global zone.
Halt the zone whose configuration you want to change.
# zoneadm -z zone-name halt |
Configure the zone to enable relabeling.
Add the appropriate privileges to the zone. The windows privileges enable users to use drag-and-drop and cut-and-paste operations.
To enable downgrades, add the file_downgrade_sl privilege to the zone.
# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,file_downgrade_sl exit |
To enable upgrades, add the sys_trans_label and file_upgrade_sl privileges to the zone.
# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_upgrade_sl exit |
To enable both upgrades and downgrades, add all three privileges to the zone.
# zonecfg -z zone-name set limitpriv=default,win_dac_read,win_mac_read,win_dac_write, win_mac_write,win_selection,sys_trans_label,file_downgrade_sl, file_upgrade_sl exit |
Restart the zone.
# zoneadm -z zone-name boot |
For the user and process requirements that permit relabeling, see the setflabel(3TSOL) man page. To authorize a user to relabel files, see How to Enable a User to Change the Security Level of Data.
In this example, the security administrator wants to enable authorized users on a system to upgrade files. By enabling users to upgrade information, the administrator enables them to protect the information at a higher level of security. In the global zone, the administrator runs the following zone administration commands.
# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,sys_trans_label,file_upgrade_sl exit # zoneadm -z internal boot |
Authorized users can now upgrade internal information to restricted from the internal zone.
In this example, the security administrator wants to enable authorized users on a system to downgrade files. Because the administrator does not add windows privileges to the zone, authorized users cannot use the File Manager to relabel files. To relabel files, users use the setlabel command.
By enabling users to downgrade information, the administrator permits users at a lower level of security to access the files. In the global zone, the administrator runs the following zone administration commands.
# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,file_downgrade_sl exit # zoneadm -z restricted boot |
Authorized users can now downgrade restricted information to internal or public from the restricted zone by using the setlabel command.