Setting a File Sensitivity Label
When you change the sensitivity label of a file, the file is
moved to a new zone that matches the file's new label.
In this code example, the process is running at the CONFIDENTIAL label.
The user who is running the process has a TOP SECRET clearance. The
TOP SECRET label dominates the CONFIDENTIAL label. The process upgrades the sensitivity label
to TOP SECRET. The user needs the Upgrade File Label RBAC authorization to
successfully perform the upgrade.
The following program is called upgrade-afile.
#include <tsol/label.h>
main()
{
int retval, error;
m_label_t *fsenslabel;
char *string = “TOP SECRET”;
*string1 = “TOP SECRET”;
/* Create new sensitivity label value */
if ((retval = str_to_label(string, &fsenslabel, MAC_LABEL, L_DEFAULT, &err)) != 0) {
perror("str_to_label(MAC_LABEL, L_DEFAULT) failed");
exit(1);
}
/* Set file label to new value */
if ((retval = setflabel(“/export/home/zelda/afile”, &fsenslabel)) != 0) {
perror("setflabel(“/export/home/zelda/afile”) failed");
exit(1);
}
m_label_free(fsenslabel);
}
The result of running this program depends on the process's label, relative
to the label of the file that was passed to the process.
Before and after you run this program, you use the getlabel command
to verify the file's label. As the following shows, before the program
runs, the label for afile is CONFIDENTIAL. After the program runs, the
label for afile is TOP SECRET.
% pwd
/export/home/zelda
% getlabel afile
afile: CONFIDENTIAL
% update-afile
% getlabel afile
afile: TOP SECRET
If you run the getlabel command from a window labeled CONFIDENTIAL after
you reclassified the file, it is no longer visible. If you run
the getlabel command in a window labeled TOP SECRET, you can see the
reclassified file.