Labels are used to implement and control access on a system. Labels implement mandatory access control (MAC). With Trusted Extensions, both discretionary access control (DAC) checks and MAC checks must pass before access is allowed to an object. As in Oracle Solaris, DAC is based on permission bits and access control lists (ACLs). For more information, see Chapter 1, Controlling Access to Files, in Securing Files and Verifying File Integrity in Oracle Solaris 11.2 .
MAC compares the label of a process that is running an application with the label or the label range of any object that the process tries to access. The labels implement the set of rules that enforce policy. One rule is read down-read equal. This rule applies when a process tries to access an object. The label of the process has to be greater than or equal to the label of the object, as in:
Label[Process] >= Label[Object]
On a system that is configured with Trusted Extensions, files and directories have slightly different access rules from each other and from process objects, network endpoint objects, device objects, and X window objects. In addition, an object can be accessed in three different ways. A slightly different set of rules applies for each way:
The name of the file, directory, or device can be viewed.
The contents or the attributes of the file, directory, or device can be viewed.
The contents or the attributes of the file, directory, or device can be modified.
Figure 1-1 Comparing the Label of a Text Editor With the Label Property in the File Browser
In the preceding figure, a user opens a text editor in a workspace with the label ZONE BLUE. The system sets the label of the process that is running the text editor to be equal to the label of the current workspace. Therefore, the text editor displays a label of ZONE BLUE. When the text editor attempts to open a file for editing, the label of the process that is running the text editor is compared to the label of the file. When the two labels are equal, as the File Browser shows, access for writing is allowed.