settuple(1M) DG/UX B2 Security R4.12MU02 settuple(1M)
NAME
settuple - set mandatory access control (MAC) tuple
SYNOPSIS
settuple [-lqr] [-o obj_type]
{[-A admin_alias] [-U user_alias] [-V vp_alias]} [object ...]
settuple [-lqr] [-o obj_type] [-i] tuple_alias [object ...]
settuple [-lqr] [-o obj_type] -I ifile [object ...]
settuple [-lqr] [-o obj_type] [-d region_spec] [object ...]
where:
obj_type The object type of the specified objects.
ifile The name of a file containing textual MAC tuple
description(s). Each line is delimited by the new-line
character and must contain at least one MAC range alias.
admin_alias
The external text representation of a MAC range in the
administrative (admin) region.
user_alias
The external text representation of a MAC range in the user
region.
vp_alias The external text representation of a MAC range in the
virus prevention (vp) region.
tuple_alias
The external text representation of a complete MAC tuple.
region_spec
A list of MAC region flags.
object The name(s) of the object(s) whose MAC tuple settuple tries
to set.
DESCRIPTION
The settuple command sets the MAC tuple on an object. A valid MAC
tuple is composed of two, four or six MAC labels, where each pair of
labels represents one MAC range of the tuple. See the descriptions
of the admin_alias, user_alias, vp_alias and tuple_alias arguments,
below, for details on the syntax of these specifications.
When a MAC tuple is set on any file object other than a directory,
the MAC label of that file object is removed, and the MAC tuple
governs MAC access to the file object. If a MAC tuple is set on a
directory, the MAC label remains and continues to govern MAC access
to the directory. In order to have both a MAC label and a MAC tuple
on a nondirectory file object, the MAC label must be placed on the
object after the MAC tuple has been placed on the object.
To remove a MAC tuple, use the setmac -d c command to convert the
object to being governed by an implicit MAC label.
The invoker must have appropriate privilege.
The admin_alias, user_alias, and vp_alias arguments must specify a
valid MAC range alias. The MAC range alias must contain a lo and hi
MAC label alias within quotes. The MAC range alias may be specified
in any of the following ways:
"<lo MAC alias> <hi MAC alias>"
"<hi MAC alias> <lo MAC alias>"
"-L <lo MAC alias> -H <hi MAC alias>"
"-H <hi MAC alias> -L <lo MAC alias>"
If the -L and -H are omitted, the MAC aliases can be specified in
either order. The MAC alias which dominates the other will be
treated as the MAC range hi. If there is no dominance relationship
between the two MAC aliases, an error will occur. If the -L and -H
are specified, the MAC aliases will be treated as specified, with
respect to the lo and hi values. Both the lo and hi values must be
in the same MAC region or an error will occur.
If at least one of admin_alias, user_alias or vp_alias is specified,
the MAC ranges in the specified regions will be updated but the
values of the other regions in the tuple will be unchanged. For
example, if an admin_alias and a vp_alias are specified, the admin
region MAC range and vp region MAC range of the tuple will be updated
accordingly, but the user region MAC range will remain unchanged.
The tuple_alias argument must specify a valid MAC tuple alias. A
valid MAC tuple alias consists of one, two or three valid MAC range
aliases within quotes. There must be at most one MAC range in each
MAC region and the ranges can be specified in any order. If
tuple_alias is used instead of separate region MAC ranges through the
-A, -U, or -V options, the entire MAC tuple will be replaced with the
specified alias. So, if the target has a vp region MAC range in its
MAC tuple, for example, and tuple_alias contains only an admin region
and user region MAC range, the vp region range will be removed from
the target's tuple.
Options
-i Use tuple_alias as the tuple to set on the object(s). The -i
option is only necessary if tuple_alias begins with a hyphen
(-), such as "-L user_lo -H user_hi." In this case, the -i is
needed to prevent settuple from thinking that the "-L" in the
tuple alias is an option. If tuple_alias does not begin with
a hyphen (-) the -i option can be omitted.
-A admin_alias
specifies the text representation of the administrative region
MAC range for the tuple.
-U user_alias
specifies the text representation of the user region MAC range
for the tuple.
-V vp_alias
specifies the text representation of the virus prevention
region MAC range for the tuple.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-q stops settuple from writing diagnostic messages. The usage
error message is always written.
-r causes settuple to recursively descend through directory file
objects, setting the MAC tuple for each file object.
-d region_spec
causes settuple to remove the MAC range in the region(s)
specified in region_spec from the tuple of the specified
target(s). Note that you may not remove the last range in a
MAC tuple. If removing the specified ranges will leave an
empty MAC tuple, an error will occur. region_spec is a
combination of one of more of the following flags:
A Specifies the administrative region MAC range.
U Specifies the user region MAC range.
V Specifies the virus prevention region MAC range.
-o specifies the object type. If you use this option but omit
object, settuple uses the default objects listed below. The
values for obj_type, the objects associated with them, and the
specification format for the objects are also listed below.
Value Object Format Default
f file filename Working directory (.)
p process pid number Invoking process ID (0)
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
If you omit -o and specify one or more objects, the default
object type is f (file).
Note that UNIX-domain sockets are file objects.
-I reads MAC tuple entries from the specified file (- indicates
stdin).
Each line in ifile is delimited by the newline character. The
file can contain the entire MAC tuple alias on one line, or
each line can contain a valid MAC range alias. Quotes are not
necessary in ifile.
EXAMPLES
$ settuple "vp_lo vp_hi user_lo user_hi" /dir1/abc
sets the MAC tuple on the file /dir/abc to have a vp MAC range
of vp_lo to vp_hi and a user MAC range of user_lo to user_hi.
The file will have no admin MAC range.
$ settuple -A "-L admin_lo -H admin_hi" /dir1/abc
sets the admin MAC range of the MAC tuple on the file
/dir1/abc to admin_lo to admin_hi. The other ranges in the
tuple will be unchanged.
$ settuple -V "vp_lo vp_hi" -A "admin_lo admin_lo"
sets the vp MAC range of the MAC tuple of the invoking process
to vp_lo to vp_hi and the admin MAC range of the same tuple to
admin_lo to admin_lo. The user MAC range of the tuple will be
unchanged.
DIAGNOSTICS
settuple writes all diagnostic messages to stderr.
The settuple command exits with one of the following values:
0 The MAC tuples were successfully set on all specified objects.
1 MAC is not supported on this system.
2 settuple could not set the MAC tuple on at least one of the
specified objects.
3 settuple usage is wrong.
SEE ALSO
getmac(1), setmac(1M), gettuple(1M), dg_getomac(2), dg_setomac(2),
dg_cvt_to_implicit(2), dg_gettuple(2), dg_settuple(2), macd(1M),
mac_library(3), mac_defs(4M).
Licensed material--property of copyright holder(s)