How to Enable a User to Change the Security Level of Data
A regular user or a role can be authorized to change the security level, or labels, of files and directories or of selected text. The user or role, in addition to having the authorization, must be configured to work at more than one label. And, the labeled zones must be configured to permit relabeling. For the procedure, see How to Enable Files to Be Relabeled From a Labeled Zone.
 | Caution - Changing the security level of data is a privileged operation. This task is for trustworthy users only. |
Before You Begin
You must be in the Security Administrator role in the global zone.
- Assign the Object Label Management rights profile to the appropriate
users and roles.
For a step-by-step procedure, see Assigning Rights to Users in Securing Users and Processes in Oracle Solaris 11.2 .
The Object Label Management rights profile enables users to upgrade and downgrade labels. In this example, the administrator permits a trusted user to upgrade data, but not to downgrade it.
The administrator creates a rights profile that is based on the Object Label Management profile, and removes the Downgrade File Label and Downgrade DragNDrop or CutPaste Info authorizations in the new profile.
# profiles -p "Object Label Management" profiles:Object Label Management> set name="Object Upgrade" profiles:Object Upgrade> info auths ... profiles:Object Upgrade> remove auths="solaris.label.file.downgrade, solaris.label.win.downgrade" profiles:Object Upgrade> commit profiles:Object Upgrade> end
Then, the administrator assigns the profile to a trusted user.
# usermod -P +"Object Upgrade" jdoe