Labels on subjects and objects

In Trusted AIX®, processes are identified as subjects and each process has SLs.

The SL used for MAC checks is called the Effective SL (ESL). An ESL must lie within the process clearance ranges. The clearance range has an upper bound and a lower bound. The upper bound is called the Maximum clearance (Max CL) and the lower bound is called the Minimum clearance (Min CL). The ESL, Max CL, and Min CL are stored in the process credential structure and are assigned during process creation. The Max CL must dominate Min CL and ESL and the ESL must dominate Min CL. The settxattr and lstxattr commands can be used to list and set the SLs of processes.

Access to various objects in the system need to be controlled. An object could be any one of the following:

process
files (Data files or binaries)
IPC objects, network packets, etc.

All objects and subjects on a MLS system are labeled.

Directory: Directories are associated with a SL range; minimum SL and maximum SL. The maximum SL should dominate or equal the minimum SL. All files in a directory lie within this range.
Files: Regular files are associated with two SLs but their values are always the same. So effectively they have only one SL. Symbolic links could have different values for the SLs.
Special Files: Special files like devices, ttys, and fifos are associated with a maximum and minimum SL. Directory, files, and special files have only one integrity label (TL) where as processes are associated with a minimum and maximum TLs.
Process: All processes are associated with maximum and minimum sensitivity cleareance range as well as a maximum and minimum integrity clearance range. These values are inherited from the user's clearance values. The sensitivity and integrity level at which the process is executing is known as the effective sensitivity and effective integrity levels.