gettuple(1) DG/UX B2 Security R4.12MU02 gettuple(1)
NAME
gettuple - display mandatory access control (MAC) tuple
SYNOPSIS
gettuple [-alpqr] [-t al] [-o objecttype] [object ...]
gettuple [-q] [-t al] [-s [pid ...] ]
where:
objecttype The type of object: f, m, p, q, or s
object The name or identifier of an object
pid A process identification number
DESCRIPTION
The gettuple command displays MAC tuples. If you omit all arguments,
the MAC tuple for your current shell process is displayed.
Options
-a Display the MAC tuples of all files, including those beginning
with a full stop (.), when used with the -r option.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-p Display absolute pathnames of file objects.
-q Do not write diagnostic messages. The usage error message is
always written.
-r Recursively descend through directory file objects, displaying
the MAC tuple for each file object.
-t al Indicate the type of alias printing desired. -ta prints out
all aliases that would result in the same MAC label. They are
printed in order of last defined through first defined in the
files /etc/tcb/mac/macaliasdefs and then
/etc/tcb/mac/maclabeldefs. -tl displays the long form of
the alias name; the default is to display the short form.
-tal displays the long form of -ta.
-o Specify the type of object arguments. If you use -o
objecttype but omit object, gettuple uses the default object.
Values for objecttype, the objects associated with them, the
specification format for the objects, and the default objects
are listed below.
Value Object Format Default
f file filename Working directory (.)
m shared memory IPC shared memory ID 0
q message queue IPC message queue ID 0
p process PID number The invoking PID
s semaphore IPC semaphore set ID 0
Note that UNIX-domain sockets are file objects.
-s Display the MAC tuple of the invoking process.
If you omit -o objecttype and specify one or more objects, the
default object type is f (file). If gettuple is invoked without -s,
-o, or object, then gettuple displays the invoking process's MAC
tuple.
MAC Tuple Format
Gettuple displays the MAC tuple of an object by displaying up to
three MAC ranges, where each range is listed as two MAC labels
representing the lower bound and the upper (high) bound of the MAC
range. Each MAC tuple of an object is displayed in the following
format:
objectname MACtuplealias
There is a separate objectname for each objecttype:
Object type Format
f filename
p p:pidnumber
m m:sharedmemoryID
q q:messagequeueID
s s:semaphoresetID
MACtuplealias is the external text representation of each MAC label
comprising the endpoints of the ranges of the MAC tuple. The MAC
label aliases are defined in the files /etc/tcb/mac/macaliasdefs
and /etc/tcb/mac/maclabeldefs. For a complete description of the
MAC label alias format, see macdefs(4M).
gettuple -s displays the MAC tuple of of the subject (the invoking
process) in the following format:
MACtuplealias
EXAMPLES
$ gettuple dir/abc
foobar -L ADMIN_LO -H ADMIN_HI -L USER_LO -H USER_HI
$ gettuple
-L ACR_LO -H ACR_HI -L VP_EXEC -H VP_EXEC
FILES
/etc/macalias
/etc/tcb/mac/maclabeldefs
/etc/tcb/mac/macaliasdefs
DIAGNOSTICS
Gettuple writes all diagnostic messages to stderr.
The gettuple command exits with one of the following values:
0 The MAC tuples associated with all specified files were
successfully reported.
1 MAC is not supported on this system.
2 gettuple could not report a MAC tuple.
3 gettuple usage is wrong.
SEE ALSO
getmac(1), secstat(1), setmac(1M), settuple(1M), dggetomac(2),
dgsetomac(2), maclibrary(3), macdefs(4M).
Licensed material--property of copyright holder(s)