Mandatory and discretionary access is required to get information on an MLD or SLD, and to access objects within an SLD with the fully adorned path name.
When considering the mandatory and discretionary access rules presented in Chapter 1, Introduction to the API and Security Policy, the SLD is a component in the path name leading to the final file system object. The calling process needs mandatory and discretionary search access to the SLD and the appropriate access to the final object. Privileges may be required if access is denied.
To get the SLD name for a specified sensitivity label within an MLD, the calling process needs the following privileges in the following situations:
The calling process needs the file_upgrade_sl privilege in its effective set if the process sensitivity label is strictly dominated by the SLD sensitivity label.
The calling process needs the file_downgrade_sl privilege in its effective set if the SLD sensitivity label dominates the process's sensitivity label.