The global zone can share multilevel datasets over NFS with Trusted Extensions systems and unlabeled systems. The datasets can be mounted in the global zone and in labeled zones, and on unlabeled systems at their assigned label. The exception is an ADMIN_LOW unlabeled system. It cannot mount a multilevel dataset.
When a multilevel dataset is created with a label that is lower than ADMIN_HIGH, the dataset can be mounted in the global zone of another Trusted Extensions system. However, files can only be viewed in the global zone, not modified. When a labeled zone NFS mounts a multilevel dataset from a different system's global zone, some restrictions apply.
Some restrictions apply to NFS-mounted multilevel datasets.
A Trusted Extensions NFS client can view the correct labels only for files that are writable. The getlabel command mis-reports the label of lower-level files as being the label of the client. MAC policy is in effect, so the files remain read-only and higher-level files are not visible.
The NFS server ignores any privileges the client might have.
Because of these restrictions, using LOFS is preferable for labeled zone clients that are being served from their own global zone. NFS works for these clients, but they are subject to the restrictions. For the LOFS mounting procedure, see How to Create and Share a Multilevel Dataset.