JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Developer's Guide     Oracle Solaris 10 1/13 Information Library
search filter icon
search icon

Document Information


1.  Trusted Extensions APIs and Security Policy

2.  Labels and Clearances

3.  Label Code Examples

Obtaining a Process Label

Obtaining a File Label

Setting a File Sensitivity Label

Determining the Relationship Between Two Labels

Obtaining the Color Names of Labels

Obtaining Printer Banner Information

4.  Printing and the Label APIs

5.  Interprocess Communications

6.  Trusted X Window System

7.  Label Builder APIs

8.  Trusted Web Guard Prototype

9.  Experimental Java Bindings for the Solaris Trusted Extensions Label APIs

A.  Programmer's Reference

B.  Trusted Extensions API Reference


Setting a File Sensitivity Label

When you change the sensitivity label of a file, the file is moved to a new zone that matches the file's new label.

In this code example, the process is running at the CONFIDENTIAL label. The user who is running the process has a TOP SECRET clearance. The TOP SECRET label dominates the CONFIDENTIAL label. The process upgrades the sensitivity label to TOP SECRET. The user needs the Upgrade File Label RBAC authorization to successfully perform the upgrade.

The following program is called upgrade-afile.

#include <tsol/label.h>

   int retval, error;
   m_label_t *fsenslabel;
   char *string = “TOP SECRET”;
   *string1 = “TOP SECRET”;

   /* Create new sensitivity label value */
   if ((retval = str_to_label(string, &fsenslabel, MAC_LABEL, L_DEFAULT, &err)) != 0) {
        perror("str_to_label(MAC_LABEL, L_DEFAULT) failed");

   /* Set file label to new value */
   if ((retval = setflabel(“/export/home/zelda/afile”, &fsenslabel)) != 0) {
        perror("setflabel(“/export/home/zelda/afile”) failed");


The result of running this program depends on the process's label, relative to the label of the file that was passed to the process.

Before and after you run this program, you use the getlabel command to verify the file's label. As the following shows, before the program runs, the label for afile is CONFIDENTIAL. After the program runs, the label for afile is TOP SECRET.

% pwd
% getlabel afile
% update-afile
% getlabel afile

If you run the getlabel command from a window labeled CONFIDENTIAL after you reclassified the file, it is no longer visible. If you run the getlabel command in a window labeled TOP SECRET, you can see the reclassified file.