A properly configured Trusted Extensions system consists of a global zone, which is the operating system instance, and one or more labeled non-global zones. During configuration, Trusted Extensions attaches a label to each zone, which creates labeled zones. The labels come from the label_encodings file. You can create one or more zones for each label, but are not required to. It is possible to have more labels than labeled zones on a system.
On a Trusted Extensions system, the global zone is solely an administrative zone. The labeled zones are for regular users. Users can work in a zone whose label is within the user's accreditation range.
On a Trusted Extensions system, all zones have a brand of labeled and all writable files and directories in a labeled zone are at the label of the zone. By default, a user can view files that are in a zone at a lower label than the user's current label. This configuration enables users to view their home directories at lower labels than the label of the current workspace. Although users can view files at a lower label, they cannot modify them. Users can only modify files from a process that has the same label as the file.
Each zone is a separate ZFS file system. Every zone can have an associated IP address and security attributes. A zone can be configured with multilevel ports (MLPs). Also, a zone can be configured with a policy for Internet Control Message Protocol (ICMP) broadcasts, such as ping.
For information about sharing directories from a labeled zone and about mounting directories from labeled zones remotely, see Chapter 14, Managing and Mounting Files in Trusted Extensions and mlslabel Property and Mounting Single-Level File Systems.
Zones in Trusted Extensions are built on the Oracle Solaris Zones product. For reference, see Introduction to Oracle Solaris Zones .