Follow these guidelines when your application changes its own sensitivity label or the sensitivity label of another object.
Upgrade a sensitivity label whenever possible.
A program that upgrades a sensitivity label is safer than a program that downgrades a sensitivity label because application errors that cause information leaks upgrade the data, rather than downgrade it. Upgrading data results in the over classification of the data, but is not a security breach. You can use privileges to downgrade a sensitivity label, but use these privileges very carefully.
Never change a process sensitivity label more than once. Changes to the process sensitivity label increase the possibility of accidentally transmitting data between different levels. Any change to the process sensitivity label is an upgrade or downgrade of the information in the process address space.
Close all file descriptors when changing a file or process sensitivity label so sensitive data is not available to other processes.