1. Managing ZFS File Systems in Oracle Solaris 11.4
  2. Managing Oracle Solaris ZFS File Systems
  3. Introducing ZFS Properties
  4. Settable ZFS Native Properties
  5. The mlslabel Property

The mlslabel Property

The behavior of the mlslabel property changes depending if Trusted Extensions is enabled or if the multilevel property is set.

If Trusted Extensions is not enabled, then the mlslabel has no meaning unless the multilevel property is also set. If both properties are set, the mlslabel property is automatically updated so that it is the maximum label of all files that have been explicitly labeled in the file system. In this configuration, the mlslabel property cannot be set by an administrator and cannot be lowered.

When Trusted Extensions is enabled, the mlslabel property should be set by an administrator. For single-level file systems, that is when the multilevel property is not set, the mlslabel property specifies the label of the zone in which the file system can be mounted. If the mlslabel property value matches the labeled zone, the file system can be mounted and accessed from the labeled zone.

If the multilevel property is set, the mlslabel property specifies the maximum label that can be set on any file in the file system. An attempt to create a file at (or relabel a file to) a label higher than the mlslabel property value is not allowed. Mount policy based on the mlslabel property does not apply to a multilevel file system.

Also, for a multilevel file system, the mlslabel property can be set explicitly when the file system is created. Otherwise, a default mlslabel property of ADMIN_HIGH is automatically created. After creating a multilevel file system, the mlslabel property can be changed, but it cannot be set to a lower label, it cannot not be set to none, nor can it be removed.

When Trusted Extensions is enabled, the automatic label that is applied to newly created objects is the label of the zone in which the caller is executing, and the maximum label that can be set explicitly is the label of the zone. If Trusted Extensions is not enabled, the automatic label of newly created objects is the label of their parent directory, and the maximum label is the label corresponding to the caller’s clearance.