Suppose we have a collection with clearance L_C0. We insert a document D whose label is L_C0. Following the collection clearance is changed to L_C1 such that L_C0 does not flow to L_C1. Now we retrieve document D from the collection -- its label L_C0 is above the collection clearance L_C1 (which would violate the desired property: read>>= write ⇒ return ()). An approach is to serialize the clearance into the collection and make sure that it can only be lowered.

Do you mean serialize the clearance of the collection or serialize the clearance of each document?

If it's the former, we could also check the clearance of the old collection and new collection when the policy is updated (we haven't discussed yet exactly how that happens). In general, I'd prefer to avoid serializing label specific stuff to the database, but yeah, that might make sense.

The former: serialize the clearance of the collection.

Of course, I agree, we should avoid serializing label-specific details unless necessary. We will needs to address migrations, but at the moment I think that the collection clearance is the only thing that needs to be serialized. We already have code that prevents you from marshalling in labeled and policy-labeled values as something other than Labeled and PolicyLabeled. (I guess one potential hack is to create a new label format that will allow you to marshal in a labeled value in such as way that the value is leaked into the label, but it's a detail we can ignore for now)