Multilevel operations
The sec_setplab system call allows a privileged process to arbitrarily change its process label.
- All uses of the sec_setplab system call to perform multilevel operations (for example, opening higher label files for reading) should be done only through library routines that reflect the semantics of the actual, high-level operation performed and that hide the detailed use of the sec_setplab system call.
- The only exceptions are very simple process label changes that are not a part of a larger multilevel operation. These simple operations can use the sec_setplab system call directly.
There are two reasons for these guidelines for the sec_setplab system call. First, a sensitive and potentially dangerous feature such as the sec_setplab system call should only be used in a well-designed, modular manner. Second, as standards for trusted systems evolve, low-level system calls may support various mechanisms for multilevel operations.
Encapsulating high-level operations in library routines provides excellent upward compatibility and adaptability to evolving versions of the operating system and helps ensure portability between trusted versions of the UNIX system.
The trusted system provides a basic set of such routines. These routines should be used whenever possible. This set of routines should be expanded with successive operating system versions. A trusted system programmer can also create such library routines where needed.
Another exception to the MAC and MIC constraints is the use of one or more of the available MAC or MIC privileges to bypass the MAC or MIC restraints. Care should be exercised when allowing the use of any of these privileges.