setmac(1M) DG/UX B2 Security R4.12MU02 setmac(1M)
NAME
setmac - set mandatory access control (MAC) label
SYNOPSIS
setmac [-lqr] [-o object_type] [-d o] -I ifile [object ...]
setmac [-lqr] [-o object_type] [-d o] -i MAC_label_alias [object ...]
setmac [-lqr] [-o object_type] [object ...]
setmac [-lqr] [-o f] -d c object ...
setmac [-q] [-i] MAC_label_alias
setmac [-q] -s -I ifile [pid . . .]
setmac [-q] -s [-i] MAC_label_alias [pid . . .]
where:
object_type The object type of the specified objects.
ifile The name of a file containing textual MAC label
description(s). Each line is delimited by the new-
line character and can contain one MAC label alias
or the output from the getmac command.
MAC_label_alias The external text representation of the MAC label
that must be defined in the MAC alias database.
object The name(s) of the object whose MAC label setmac
tries to set.
pid A process ID of the process for which to change the
MAC label (clearance).
DESCRIPTION
The setmac command sets the MAC label on an object or a process. The
invoker must have appropriate privilege.
Options
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-q Stop setmac from writing diagnostic messages. The usage error
message is always written.
-r Recursively descend through directory file objects, setting
the MAC label for each file object.
-o Specify the type of the object arguments. If you use -o but
omit object, setmac uses the default objects listed below.
The values for object_type, the objects associated with them,
and the specification format for the objects are also listed.
Value Object Format Default
f file filename Working directory (.)
p process pid number Invoking process ID (0)
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
If you omit -o and specify one or more objects, the default
object type is f (file). If you omit the objects, setmac sets
the MAC label of the invoking process.
Note that UNIX-domain sockets are file objects.
-d o Use the dg_setomac_only(2) function to set the MAC label on
the file system object. This has the effect that when used on
directory file objects, if any of the directory's children
have implicit labels, they will not be converted to explicit
labels. Before you use this option, see the
dg_setomac_only(2) man page for a better understanding of the
option.
-d c Convert the MAC label on the target file system object to an
implicit MAC label. If the MAC label is already implicit, no
action is taken and no error is generated. The secstat(1)
command may be used to determine whether a file has an
explicit or an implicit MAC label. Note that this option is
only applicable to file system objects, and that it does not
take a MAC label alias (this option says to inherit the MAC
label value from the file's parent).
-i Use MAC_label_alias as the MAC label. MAC_label_alias is
defined in the files /etc/tcb/mac/mac_label_defs and
/etc/tcb/mac/mac_alias_defs.
-I Read MAC entries from the specified file (- indicates stdin).
If you use this option and -s but omit subject pid arguments,
setmac tries to set the MAC label of the invoking process to
the first MAC label described in the input source.
If you use -s and subject pid arguments, setmac tries to set
the MAC label of the specified subject pids to the first MAC
label described in the input source.
If you omit -s and object arguments, setmac tries to set the
MAC label of each object specified in the -I input source to
the associated MAC label in the -I input source.
If you omit -s and use object arguments, setmac tries to set
the MAC label of each object argument to the first MAC label
described in the -I input source.
-s Set the MAC label of the indicated process. If no processes
are specified, and the -s option is, the invoking process is
the target (i.e., the shell from which the setmac command is
issued, not the process executing the setmac command itself).
WARNING: Do not use the setmac command to set a MAC label on a tty
used for interactive sessions. Doing so will prevent
anyone from creating a session on that tty. All such tty's
must be governed by a MAC tuple (see settuple(1M)).
EXAMPLES
setmac session_lo dir_abc/a dir_abc/b
sets the MAC label on dir_abc/a and dir_abc/b to session_lo.
setmac impl_lo
sets the MAC label on the shell/process that invoked the
setmac command to impl_lo
setmac -s impl_hi 1245 1785
sets the mac label on processes with pid 1245 and 1785 to
impl_hi
DIAGNOSTICS
The setmac command writes all diagnostic messages to stderr.
The setmac command exits with one of the following values:
0 The MAC labels were successfully set on all specified files.
1 MAC is not supported on this system.
2 setmac could not set the MAC label on at least one of the
specified files.
3 setmac usage is wrong.
NOTES
If you omit -o and -s, the default is -s.
It may appear that setmac -s and setmac -o p are the same command and
that one is redundant. Note, however, that a process is at once both
a subject and an object, and that the clearance of the subject (the
process) and the MAC label of the object (the process) are two
different conceptual entities. Either syntax can be used to set both
the clearance of the process (viewed as a subject) and the MAC label
of the process (viewed as an object).
If the MAC label of a process is changed, access to all its open
descriptors will be re-evaluated and access will be lost to objects
referenced by descriptors to which the process no longer has MAC
access. Since this can often cause a process to lose access to its
controlling tty and/or standard output/input/error, the privilege to
change the MAC label of a process is not given to any user or role by
default.
SEE ALSO
macd(1M), getmac(1), secstat(1), dg_getomac(2), dg_setomac(2),
dg_setomac_only(2), mac_library(3). mac_defs(4M).
Licensed material--property of copyright holder(s)