Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

How to Enable a User to Change the Security Level of Data

A regular user or a role can be authorized to change the security level, or labels, of files and directories or of selected text. The user or role, in addition to having the authorization, must be configured to work at more than one label. And, the labeled zones must be configured to permit relabeling. For the procedure, see How to Enable Files to Be Relabeled From a Labeled Zone.


Caution

Caution  - Changing the security level of data is a privileged operation. This task is for trustworthy users only.


Before You Begin

You must be in the Security Administrator role in the global zone.

Example 16  Enabling a User to Upgrade But Not to Downgrade a File's Label

The Object Label Management rights profile enables users to upgrade and downgrade labels. In this example, the administrator permits a trusted user to upgrade data, but not to downgrade it.

The administrator creates a rights profile that is based on the Object Label Management profile, and removes the Downgrade File Label authorization in the new profile.

# profiles -p "Object Label Management"
profiles:Object Label Management> set name="Object Upgrade"
profiles:Object Upgrade> info auths
...
profiles:Object Upgrade> remove auths="solaris.label.file.downgrade"
profiles:Object Upgrade> commit
profiles:Object Upgrade> end

Then, the administrator assigns the profile to a trusted user.

# usermod -P +"Object Upgrade" jdoe