Determining the Relationship Between Two Labels

If your application accesses data at different sensitivity labels, perform checks in your code to ensure that the process label has the correct relationship to the data label before you permit an access operation to occur. You check the sensitivity label of the object that is being accessed to determine whether access is permitted by the system.

The following code example shows how to test two sensitivity labels for equality, dominance, and strict dominance. The program checks whether a file's label is dominated by or is equal to the process's label.

#include <stdio.h>
#include <stdlib.h>

#include <tsol/label.h>

main(int argc, char *argv[])
{
   m_label_t *plabel;
   m_label_t *flabel;

   plabel = m_label_alloc(MAC_LABEL);
   flabel = m_label_alloc(MAC_LABEL);

   if (getplabel(plabel) == -1) {
      perror("getplabel");
      exit(1);
   }
   if (getlabel(argv[1], flabel) == -1) {
      perror("getlabel");
      exit(1);
   }

   if (blequal(plabel, flabel)) {
      printf("Labels are equal\n");
   }
   if (bldominates(plabel, flabel)) {
      printf("Process label dominates file label\n");
   }
   if (blstrictdom(plabel, flabel)) {
      printf("Process label strictly dominates file label\n");
   }

   m_label_free(plabel);
   m_label_free(flabel);

   return (0);
}

The text output of this program depends on the process's label, relative to the label of the file that was passed to the process, as follows:

• Because “dominates” includes “equal,” when the labels are equal, the output is the following:

  Labels are equal
  Process label dominates file label

• If the process's label strictly dominates the file's label, the output is the following:

  Process label strictly dominates file label