To permit applications to create objects with a specified label rather than the default label, an extended form of each of the file creation system calls must be added that accepts an additional SID parameter. To permit applications to obtain the SID of an object, an extended form of each of the file status system calls must be added that return an additional SID parameter. To permit applications to change the SID of an object, new system calls must be added. The new Linux system calls that must be added for security-aware applications are shown in Figure 16.
For the new system calls that are simply extended forms of existing Linux system calls, the same set of control requirements apply. The control requirements for the new system calls for relabeling are shown in Table 16.