As described in Labeled Workspaces, labels appear on windows on the desktop. On a single-label system, you might not want labels to be visible. Label visibility is configurable in the policy.conf file for a system for individual users. For a pointer to the configuration procedures, see Managing Label Encodings (Task Map).
Typically, the content of files at a lower label can be read by a user at a higher label. For example, system files and commonly-available executables are assigned an ADMIN_LOW label. According to the read down-read equal rule, accounts who work at any label can read ADMIN_LOW files. As in the Solaris OS, DAC permissions can prevent read access. Zones also protect files from being read. If a lower-level zone is not mounted, a user in a higher-level zone cannot access the files for reading.
Files that contain data that should not be viewed by ordinary users, such as system log files and the label_encodings files, are maintained at ADMIN_HIGH. To allow administrators access to protected system files, the ADMIN_LOW and ADMIN_HIGH administrative labels are assigned as the minimum label and clearance for roles.