Label Policy

Labels in Oracle Solaris implement a set of access rules for sensitive data that is in addition to discretionary access control (DAC). You configure labels to reflect your site's security policy around sensitive data.

All Oracle Solaris systems have a label policy. By default, the policy is unrestricted so that only DAC controls access to files. A default encodings file enforces this unrestricted label policy. The labeling service that runs on all Oracle Solaris 11.4 systems is labeld:clearance.

Label policy is configured in an encodings file. Oracle Solaris provides two sample encodings files: the default file and a compliance encodings file. To view these files, see Viewing and Testing Sample Label Encodings Files.

Every system that contains sensitive data must contain a copy of your customized encodings file. One strategy is to put sensitive data in zones on designated systems, label the ZFS datasets in those zones, and restrict access to the data by labeled user processes and SMF service processes.

Most of your file systems will not be labeled. Therefore, their files inherit the system's lowest label, ADMIN_LOW. All clearances that you assign to users and processes dominate this label, so all files on unlabeled systems are available to all logins.

To administer labels you must be in the root role or be assigned the Object Label Management rights profile.