getmac(1) DG/UX B2 Security R4.12MU02 getmac(1)
NAME
getmac - display mandatory access control (MAC) label
SYNOPSIS
getmac [-alpqr] [-t al] [-o object_type] [object ...]
getmac [-q] [-t al] [-s] [subject ...]
where:
object_type The type of object whose MAC label getmac displays
object The object(s) whose MAC label getmac displays
subject The subject(s) (process ID) whose MAC label getmac
displays
DESCRIPTION
The getmac command displays MAC labels.
Options
-a Display the MAC labels of all files, including those beginning
with a ., when used with the -r option.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-p Display absolute pathnames of file objects.
-q Do not write diagnostic messages. The usage error message is
always written.
-r Recursively descend through directory file objects, displaying
the MAC label for each file object.
-t al Indicate the type of alias printing desired. -ta prints out
all aliases that would result in the same MAC label. They are
printed in order of last defined through first defined in the
files /etc/tcb/mac/mac_alias_defs, and then
/etc/tcb/mac/mac_label_defs. -tl displays the long form of
the alias name; the default is to display the short form.
-tal displays the long form of -ta.
-o Specify the type of object arguments. If you use -o
object_type but omit object, getmac uses the default object.
Values for object_type, the objects associated with them, the
specification format for the objects, and the default objects
are listed below.
Value Object Format Default
f file filename Working directory (.)
p process pid number The invoking process ID
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
Note that UNIX-domain sockets are file objects.
-s Display the MAC label of the invoking process. If no subjects
are supplied, getmac displays the clearance (MAC label) of the
invoking process. If subjects are supplied, then the process
ID and the process clearance are displayed for each subject.
If -o object_type is not specified and one or more objects are
specified, then the default object type is f (file). If getmac is
invoked without -s, -o, or object, then getmac displays the invoking
process's MAC label.
MAC Label Format
Getmac displays the MAC label of an object in the following format:
object_name MAC_label_alias
There is a separate object_name for each object_type:
Object type Format
f filename
p p:pid_number
m m:shared_memory_ID
s s:semaphore_set_ID
q q:message_queue_ID
MAC_label_alias is the external text representation of the MAC label
as defined in the files /etc/tcb/mac/mac_alias_defs and
/etc/tcb/mac/mac_label_defs. For a complete description of the
MAC_label_alias format, see mac_defs(4M).
getmac [-s] displays the MAC label of of the subject (the invoking
process) in the following format:
MAC_label_alias
getmac -s [subject ...] displays the MAC label of each of the
specified subject pids in the following format:
subject pid: pid MAC_label_alias
If a file object is governed by a MAC range, then if you have
appropriate privilege, or if your process dominates the high end of
the MAC range, the following text will be displayed when performing
the getmac command:
# getmac /dev/ttyp3
/dev/ttyp3 [NO MAC LABEL -- GOVERNED BY MAC RANGE] -L IMPL_LO -H IMPL_HI
EXAMPLES
$ getmac -r -tl dir_abc
a SESSION_LO
b SESSION_LO
c IMPLEMENTATION_LO
$ getmac -pr dir_abc
/usr/ab_user/dir_abc/a SES_LO
/usr/ab_user/dir_abc/b SES_LO
/usr/ab_user/dir_abc/c IMPL_LO
$ getmac -s
ACR_LO
$ getmac -s $$
subject pid: 5440 ACR_LO
$ getmac -s 1,10,$$
subject pid: 1 IMPL_HI
subject pid: 10 IMPL_HI
subject pid: 5440 ACR_LO
FILES
/etc/mac_alias
/etc/tcb/mac/mac_label_defs
/etc/tcb/mac/mac_alias_defs
DIAGNOSTICS
Getmac writes all diagnostic messages to stderr.
The getmac command exits with one of the following values:
0 The MAC labels associated with all specified files were
successfully reported.
1 MAC is not supported on this system.
2 getmac could not report a MAC label.
3 getmac usage is wrong.
NOTES
If you omit -o and -s, the default is -s.
getmac does not yet display symbolic MAC label aliases.
It may appear that getmac -s and getmac -o p are the same command and
that one is redundant. Note, however, that a process is at once both
a subject and an object, and that the clearance of the subject (the
process) and the MAC label of the object (the process) are two
different conceptual entities. Either syntax can be used to get both
the clearance of the process (viewed as a subject) and the MAC label
of the process (viewed as an object).
SEE ALSO
setmac(1M), dg_getomac(2), mac_library(3). mac_defs(4M).
Licensed material--property of copyright holder(s)