More About Labels

A label can only be changed by a user or an administrator who has the appropriate authorization.

Authorizations for Upgrading and Downgrading Labels

The authorization to change a label to one that dominates it is called the Upgrade File Label authorization. The authorization to change a label to one that it dominates is called the Downgrade File Label authorization. For definitions for these authorizations, see /etc/security/auth_attr.

Options for Restricting Users to a Single Label

If the system is configured to run with only a single label, all non-administrative user accounts on that system are restricted to work at that single label. In such systems, the clearance for every user's account would logically need be set to be equal to the account's minimum label.

In systems running with multiple sensitivity labels, any account may be restricted to work at a single label if the security administrator role sets the account's clearance equal to its minimum label.

When the security administrator role has configured an account with a account label range that includes multiple labels, the user can voluntarily restrict a working session to a single label, which is explained in the next section.

Label Translation

Label translation occurs whenever programs manipulate labels. Labels are translated to and from the character-coded strings to the binary representation. For example, when a program such as getlabel(1) gets the label of a file, before the label can display to the user, the binary representation of the label must be translated into human-readable form. And when the setlabel(1) program sets a label specified on the command line, the character-coded string that makes up the label's name must be translated to the label's internal representation. The Trusted Solaris system permits label translations only if the calling process's label dominates the label to be translated. If a process attempts to translate a label that the process' SL does not dominate, the translation is disallowed. The sys_trans_label privilege overrides this restriction.

So, for example, when a program has the sys_trans_label privilege in its effective privilege set, the program can translate labels that dominate its process label.