Glenn Faden's Blog

  • September 21, 2008

Demonstrating Process and File Labeling

Guest Author

Since I do a lot of Trusted Extensions demonstrations, I'm often asked about process and file labeling. Both process and file labels are implicitly determined from zone and network labels. I've written two shell scripts which display these concepts using the zenity(1) GUI.

Here is the first script, getprocs:


ps -fe -o comm -o user -o pid | \\

while read command user pid
        label=`plabel $pid 2>/dev/null`
        if [ $? = 0 ]; then
                echo $command;
                echo $pid
                echo $user
                echo $label
done | zenity --list \\
        --title=" Process Labels" \\
        --height=700 \\
        --width=650 \\
        --column="Process Name" \\
        --column="ID" \\
        --column="User" \\
        --column="Sensitivity Label"

The output of the script looks like this:

If you run this in the global zone, as root, you will see all processes and can sort the output based on the table columns. When run in a labeled zone, only processes with the current zone label are shown. I also use this script to demonstrate that by removing proc_info from my default privilege I can only see my own processes. The privilege setting in my /etc/user_attr file looks like this:


The other script, getmounts, displays the label of the currently mounted filesystems.


/usr/sbin/mount -p | cut -d " " -f3-4 | \\

while read mntpnt fstype
    label=`getlabel $mntpnt 2>/dev/null`
    if [ $? = 0 ]; then
        echo $mntpnt
        echo $fstype
         echo $label | cut -d : -f 2-99
done | zenity --list \\
    --title="File System Labels" \\
    --height=700 \\
    --width=750 \\
    --column="Directory" \\
    --column="Type" \\
    --column="Sensitivity Label"

When run as root in the global zone, everything is displayed except NFS mounts to the labeled zones. When run in a labeled zone, only the labels of the zone's filesystems, and those shared filesystems from the global zone and from lower-level zones or NFS servers are shown.

The output of this script looks like this:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.