All objects on a system configured with Trusted Extensions are associated with a zone. Such zones are called labeled zones. A labeled zone is a non-global zone and is accessible to ordinary users. A user who is cleared at more than one label is permitted access to a zone at each of those labels.
The global zone is a special zone that contains files and processes that control the security policy of the system. Files in the global zone can only be accessed by roles and by privileged processes.
The global zone is assigned a range of labels. The range is from ADMIN_LOW to ADMIN_HIGH. ADMIN_HIGH and ADMIN_LOW are administrative labels.
Objects in the global zone that are shared with other zones are assigned the ADMIN_LOW label. For example, files in the /usr, /sbin, and /lib directories are assigned the ADMIN_LOW label. These directories and their contents are shared by all zones. These files and directories are typically installed from packages and are generally not modified, except during packaging or patching procedures. To modify ADMIN_LOW files, a process must typically be run by superuser or by someone who has all privileges.
Information that is private to the global zone is assigned the label ADMIN_HIGH. For example, all processes in the global zone and all administrative files in the /etc directory are assigned the ADMIN_HIGH label. Home directories that are associated with roles are assigned the ADMIN_HIGH label. Multilevel information that is associated with users is also assigned the ADMIN_HIGH label. See Multilevel Operations. Access to the global zone is restricted. Only system services and administrative roles can execute processes in the global zone.
Non-global zones are called labeled zones. Each labeled zone has a unique label. All objects within a labeled zone have the same label. For example, all processes that run in a labeled zone have the same label. All files that are writable in a labeled zone have the same label. A user who is cleared for more than one label has access to a labeled zone at each label.
Trusted Extensions defines a set of label APIs for zones. These APIs obtain the labels that are associated with labeled zones and the path names within those zones:
getpathbylabel()
getzoneidbylabel()
getzonelabelbyid()
getzonelabelbyname()
getzonerootbyid()
getzonerootbylabel()
getzonerootbyname()
For more information about these APIs, see Accessing Labels in Zones.
The label of a file is based on the label of the zone or of the host that owns the file. Therefore, when you relabel a file, the file must be moved to the appropriate labeled zone or to the appropriate labeled host. This process of relabeling a file is also referred to as reclassifying a file. The setflabel() library routine can relabel a file by moving the file. To relabel a file, a process must assert the file_upgrade_sl privilege or the file_downgrade_sl privilege. See the getlabel(2) and setflabel(3TSOL) man pages.
For more information about setting privileges, see Developing Privileged Applications, in Solaris Security for Developers Guide.