By default, users can view lower-level files. To prevent the viewing of all lower-level files from a particular zone, remove the net_mac_aware privilege from that zone. For a description of the net_mac_aware privilege, see the privileges(5) man page.
Before You Begin
You must be in the System Administrator role in the global zone.
# zoneadm -z zone-name halt
Remove the net_mac_aware privilege from the zone.
# zonecfg -z zone-name set limitpriv=default,!net_mac_aware exit
# zoneadm -z zone-name boot
In this example, the security administrator prevents users on one system from being confused. Therefore, users can only view files at the label at which the users are working. So, the security administrator prevents the viewing of all lower-level files. On this system, users cannot see publicly available files unless they are working at the PUBLIC label. Also, users can only NFS mount files at the label of the zones.
# zoneadm -z restricted halt # zonecfg -z restricted set limitpriv=default,!net_mac_aware exit # zoneadm -z restricted boot
# zoneadm -z needtoknow halt # zonecfg -z needtoknow set limitpriv=default,!net_mac_aware exit # zoneadm -z needtoknow boot
# zoneadm -z internal halt # zonecfg -z internal set limitpriv=default,!net_mac_aware exit # zoneadm -z internal boot
Because PUBLIC is the lowest label, the security administrator does not run the commands for the PUBLIC zone.