Labels on file system objects

All files include specific security information. When a new file is created, it has the same SL as the process that created the file. The SL of the information in a file can be upgraded or downgraded by raising or lowering the file's SL.

Directories are assigned a minimum and maximum SL when the directories are created. On creation, both are set equal to the effective SL of the creating process, essentially creating a single-level directory. Only users with the proper privileges and authorizations can changes these SLs. New objects can be created in this directory only if the effective SL of the process creating the new object falls within the range of the directory's SLs.

A window is normally created as a separate child process with an SL equal to the user's effective SL. Devices (for example, the pseudo-terminals associated with windows) also have SLs associated with them. A named pipe, which is a device used for interprocess communication, inherits the effective SL of the process that created the named pipe. A stream, which is a device used to provide a bidirectional data channel for interprocess communications, also inherits the effective SL of the process that created the stream.

All devices have a minimum SL and a maximum SL. The maximum SL must dominate the minimum SL. By default, the minimum SL and maximum SL are set equal. A process can only access such a device in read mode if the process's SL dominates the minimum SL of the device or directory. A process may only access such a device in write mode if the process's SL is within the range defined by the minimum and maximum SLs of the device or directory.

File security flags

Objects can be marked with file security flags (FSFs) that affect the way processes deal with the objects. See File Security Flags for a list of FSFs and the privileges required to set each FSF. Processes do not have file security flags.