Although you can restrict access to sensitive data to users and roles based on their clearances, a label policy does not prevent modifying the underlying configuration, loading untrusted software, or modifying the kernel. It also does not prevent cleared users or roles from copying labeled data to unlabeled directories. Hardening can limit these dangers.
You can put the following protections in place:
Create non-global zones where selected users are granted a higher clearance than their clearance outside the zone.
Restrict access to a labeled zone to users who have been delegated the login authorization for that zone.
Make the configuration of the zone immutable.
Import one or more labeled file systems read-write into the zone from the global zone. The label of each top-level directory is also the minimum label at which data can be written to each file system.
Remove any network interfaces to prevent leakage outside the zone.
With these protections, when users log in to the zone, their clearance is raised to the value specified in the zone's user_attr file. Although users might not be authorized to set individual file labels, all files in the imported file systems are automatically labeled based on their containing directories. Also, although users cannot be prevented from copying files into unlabeled file systems, unlabeled data does not leak outside the zone. The labeled data is available outside of the zone only to users and roles with sufficient clearance.