Directory tree structure

The system calls function so that directory trees created by unprivileged processes follow a nondecreasing label structure, where the label of a file equals that of its parent directory or is within the range of the partitioned directory, and the label of a directory dominates that of its parent directory (note that domination includes equivalence). This is a natural structure for untrusted programs.

However, privileged processes are not bound by this restriction and can create directory trees where the parent directory MAC label relationships are arbitrary. Such configurations are useful because MAC search access is restricted closer to the root of the tree. For example, aggregation protection, where the MAC label of a collection of data objects is higher than any single label of the objects, can be implemented by setting the MAC label of a directory higher than any of its elements. Untrusted processes must then dominate the label of the directory to gain access to the aggregation of data.

Great care should be used in creating directory trees that have decreasing labels. It is not possible for an unprivileged process to open a file for writing when the file does not dominate or equal its parent's label.