Trusted Extensions can mount two kinds of ZFS datasets.
A single-level labeled dataset has the same label as the zone in which the data resides or is mounted. All files and directories in a single-level dataset are at the same label. These datasets are the typical datasets in Trusted Extensions.
A multilevel dataset can contain files and directories at different labels. Such a dataset is efficient for serving NFS clients at many different labels, and can streamline the process of relabeling of files.
The following mounts are possible in Trusted Extensions:
ZFS mounts – Multilevel datasets that the administrator creates can be ZFS-mounted in the global zone. A ZFS-mounted multilevel dataset can be LOFS-mounted into labeled zones on the same system.
Single-level datasets can also be created and ZFS-mounted by administrators in labeled zones.
LOFS mounts – As stated in the preceding paragraph, the global zone can LOFS mount a single-level dataset into a labeled zone. The label of the mount is ADMIN_LOW, therefore, all mounted files are read-only in the labeled zone.
The global zone can also LOFS mount a multilevel dataset into a labeled zone. The mounted files that are the same label as the zone can be modified. With appropriate permissions, the files can be relabeled. Mounted files that are at a level lower than the label of the zone can be viewed.
NFS mounts – Labeled zones can mount single-level datasets at the label of the zone. These files can originate from another labeled zone or from an untrusted system that is assigned the same label as the labeled zone.
A global zone can NFS mount a multilevel dataset from another Trusted Extensions system. The mounted files can be viewed and modified, but not relabeled. Also, only files and directories at the label of the mounting zone return the correct label.
A labeled zone can NFS mount a multilevel dataset from another Trusted Extensions system. NFS-mounted files cannot be relabeled, and the label of the files cannot be determined by the getlabel command. However, MAC policy works correctly. The mounted files that are at the same label as the zone can be viewed and modified. Lower-level files can be viewed.