getrange(1) DG/UX B2 Security R4.12MU02 getrange(1)
NAME
getrange - display mandatory access control (MAC) range
SYNOPSIS
getrange [-alpqr] [-t al] [-o objecttype] [object ...]
getrange [-q] [-t al] [-s [pid ...] ]
where:
objecttype The type of object: f, m, p, q, or s
object The name or identifier of an object
pid A process identification number
DESCRIPTION
The getrange command displays MAC ranges. If you omit all arguments,
the MAC range for your current shell process is displayed.
Options
-a Display the MAC ranges of all files, including those beginning
with a full stop (.), when used with the -r option.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-p Display absolute pathnames of file objects.
-q Do not write diagnostic messages. The usage error message is
always written.
-r Recursively descend through directory file objects, displaying
the MAC range for each file object.
-t al Indicate the type of alias printing desired. -ta prints out
all aliases that would result in the same MAC label. They are
printed in order of last defined through first defined in the
files /etc/tcb/mac/macaliasdefs and then
/etc/tcb/mac/maclabeldefs. -tl displays the long form of
the alias name; the default is to display the short form.
-tal displays the long form of -ta.
-o Specify the type of object arguments. If you use -o
objecttype but omit object, getrange uses the default object.
Values for objecttype, the objects associated with them, the
specification format for the objects, and the default objects
are listed below.
Value Object Format Default
f file filename Working directory (.)
m shared memory IPC shared memory ID 0
q message queue IPC message queue ID 0
p process PID number The invoking PID
s semaphore IPC semaphore set ID 0
Note that UNIX-domain sockets are file objects.
-s Display the MAC label of the invoking process.
If you omit -o objecttype and specify one or more objects, the
default object type is f (file). If getrange is invoked without -s,
-o, or object, then getrange displays the invoking process's MAC
range.
MAC Label Format
Getrange displays the MAC range of an object as two MAC labels
representing the lower bound and the upper (high) bound of the MAC
range. Each MAC label of an object is displayed in the following
format:
objectname MAClabelalias
There is a separate objectname for each objecttype:
Object type Format
f filename
p p:pidnumber
m m:sharedmemoryID
q q:messagequeueID
s s:semaphoresetID
MAClabelalias is the external text representation of the MAC label
as defined in the files /etc/tcb/mac/macaliasdefs and
/etc/tcb/mac/maclabeldefs. For a complete description of the
MAClabelalias format, see macdefs(4M).
getrange -s displays the MAC label of of the subject (the invoking
process) in the following format:
MAClabelalias
EXAMPLES
$ getrange -r -tl dirabc
dir_abc -L ACCRED_LO -H ACCRED_HI
a -L SESSION_LO -H SESSION_HI
b -L SESSION_LO -H SESSION_LO
c -L IMPLEMENTATION_LO -H IMPLEMENTATION_HI
$ getrange -pr dirabc
/usr/ab_user/dir_abc/a -L SES_LO -H SES_HI
/usr/ab_user/dir_abc/b -L SES_LO -H SES_LO
/usr/ab_user/dir_abc/c -L IMPL_LO -H IMPL_HI
FILES
/etc/macalias
/etc/tcb/mac/maclabeldefs
/etc/tcb/mac/macaliasdefs
DIAGNOSTICS
Getrange writes all diagnostic messages to stderr.
The getrange command exits with one of the following values:
0 The MAC ranges associated with all specified files were
successfully reported.
1 MAC is not supported on this system.
2 getrange could not report a MAC range.
3 getrange usage is wrong.
SEE ALSO
getmac(1), secstat(1), setmac(1M), setrange(1M), dggetomac(2),
dggetorange(2), dgsetomac(2), dgsetomaconly(2), dgsetorange(2),
maclibrary(3), macdefs(4M).
Licensed material--property of copyright holder(s)