macd(1M) DG/UX B2 Security R4.12MU02 macd(1M)
NAME
macd - mandatory access control (MAC) server
SYNOPSIS
/sbin/macd [-V [labeldef aliasdef]]
where:
labeldef The specified MAC label definition file
aliasdef The specified MAC alias definition file
DESCRIPTION
Macd is a server that provides MAC label-related services for DG/UX
systems on which MAC is present [see secconfig(1)].
Macd provides MAC label name translation and other services through
the maclibrary(3) functional interfaces and the getmac(1) and
setmac(1M) commands. macd ensures that it will never return any
information to a subject (client) which is not completely dominated
by that subject's current clearance.
macd implicitly requires two files: /etc/tcb/mac/maclabeldefs and
/etc/tcb/mac/macaliasdefs. macd should be started by init(1M) as a
trustedrespawn action with no arguments. Once macd is started, it
writes any error messages to the system log.
Option
-V Scan (verify) the specified MAC label and alias definition
files, labeldef and aliasdef, for syntax errors, writing any
errors to stderr. If labeldef and aliasdef are not specified,
macd scans the default MAC label and alias definition files,
/etc/tcb/mac/maclabeldefs and /etc/tcb/mac/macaliasdefs.
macd -V does not provide any MAC related services; it can be
used only to verify MAC label and alias syntax before any
changes made to maclabeldefs or macaliasdefs are put into
effect.
If macd -V writes nothing to stderr and returns exit code 0,
then the MAC label and alias database has the correct syntax.
If macd -V writes error messages to stderr and returns exit
code 2, then the MAC label and alias database syntax must be
corrected.
FILES
/etc/macalias macd command stream
/etc/tcb/mac/maclabeldefs MAC label definitions file
/etc/tcb/mac/macaliasdefs MAC alias definitions file
SEE ALSO
getmac(1), secconfig(1), setmac(1M), maclibrary(3), macdefs(4M).
NOTES AND WARNINGS
If it is absolutely necessary to reinitialize macd after adding new
hierarchies, categories and aliases to /etc/tcb/mac/maclabeldefs
and /etc/tcb/mac/macaliasdefs without rebooting the system, the
system administrator can cycle macd by sending the macd process a
SIGTERM signal: kill -15 <macd pid>
If the MAC label and alias database has any syntax errors, then macd
will in effect be disabled if restarted. If macd is disabled on a
system that has MAC, no one will be able to login into the system.
It is therefore imperative to verify any changes to the label and
alias database with macd -V before cycling macd or rebooting the
system.
Note that if the numeric values for hierarchies and/or categories
used as binary labels on objects are redefined or removed from the
alias database, this this will cause the binary labels to be changed
in semantics, or to be nontranslatable to human-readable form. Great
care must be taken when modifying /etc/tcb/mac/maclabeldefs.
Licensed material--property of copyright holder(s)