Labeled Zones

Non-global zones are called labeled zones. Each labeled zone has a unique label. All objects within a labeled zone have the same label. For example, all processes that run in a labeled zone have the same label. All files that are writable in a labeled zone have the same label. A user who is cleared for more than one label has access to a labeled zone at each label.

Trusted Extensions defines a set of label APIs for zones. These APIs obtain the labels that are associated with labeled zones and the path names within those zones:

• getpathbylabel()

• getzoneidbylabel()

• getzonelabelbyid()

• getzonelabelbyname()

• getzonerootbyid()

• getzonerootbylabel()

• getzonerootbyname()

For more information about these APIs, see Accessing Labels in Zones.

The label of a file is based on the label of the zone or of the host that owns the file. Therefore, when you relabel a file, the file must be moved to the appropriate labeled zone or to the appropriate labeled host. This process of relabeling a file is also referred to as reclassifying a file. The setflabel() library routine can relabel a file by moving the file. To relabel a file, a process must assert the file_upgrade_sl privilege or the file_downgrade_sl privilege. See the getlabel(2) and setflabel(3TSOL) man pages.

For more information about setting privileges, see Chapter 2, Developing Privileged Applications, in Oracle Solaris Security for Developers Guide.