Typically, the content of files at a lower label can be read by a user at a higher label. For example, system files and commonly available executables are assigned an ADMIN_LOW label. According to the read down-read equal rule, users who work at any label can read ADMIN_LOW files. As in Oracle Solaris, DAC permissions can prevent read access. Zones also protect files from being read. If a lower-level zone is not mounted, a user in a higher-level zone cannot access the files for reading.
Files that contain data that must not be viewed by regular users, such as system log files and the label_encodings files, are maintained at ADMIN_HIGH. To allow administrators access to protected system files, the ADMIN_LOW and ADMIN_HIGH administrative labels are assigned as the minimum label and clearance for roles.