Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ setrange(1M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getmac(1)

getrange(1)

macd(1M)

setmac(1M)



setrange(1M)             DG/UX B2 Security R4.12MU02            setrange(1M)


NAME
       setrange - set mandatory access control (MAC) range

SYNOPSIS
       setrange [-lqr]
              {-I ifile|-L lalias -H halias|lalias halias} object ...

       setrange [-lqr] -o objtype
              {-I ifile|-L lalias -H halias|lalias halias} [object ...]

   where:
       objtype  The object type of the specified objects.
       ifile     The name of a file containing textual MAC range
                 description(s).  Each line is delimited by the new-line
                 character and must contain two aliases: lalias halias.
       lalias    The external text representation of the MAC range lower
                 bound label, which must be a MAC label alias defined in the
                 MAC alias database.
       halias    The external text representation of the MAC range upper
                 bound label, which must be a MAC label alias defined in the
                 MAC alias database.
       object    The name(s) of the object(s) whose MAC range setrange tries
                 to set.

DESCRIPTION
       The setrange command sets the MAC range on an object.  A valid MAC
       range is composed of two MAC labels, a lower bound MAC label and an
       upper bound MAC label.  The upper bound MAC label must dominate the
       lower bound MAC label.

       When a MAC range is set on any file object other than a directory,
       the MAC label of that file object is removed, and the MAC range
       governs MAC access to the file object.  If A MAC range is set on a
       directory, the MAC label remains and continues to govern MAC access
       to the directory.  In order to have both a MAC label and a MAC range
       on a nondirectory file object, the MAC label must be placed on the
       object after the MAC range has been placed on the object.

       To remove a MAC range, use the setmac -d c command to convert the
       object to being governed by an implicit MAC label.

       If a file object is governed by a MAC range, then a process whose
       clearance dominates the upper bound has MAC read access to the
       object.  A process which dominates the lower bound but is dominated
       by the upper bound has MAC write access to the object.  A process
       whose clearance is equal to the upper bound has MAC read/write access
       to the object.  To read the attributes of an object governed by a MAC
       range, the process must have either MAC read or MAC write access to
       the object (or both).

       The invoker must have appropriate privilege.

   Options
       -l     If target is a symbolic link, operate on the link.  The
              default behavior is to operate on the object that the link
              references.

       -q     stops setrange from writing diagnostic messages.  The usage
              error message is always written.

       -r     causes setrange to recursively descend through directory file
              objects, setting the MAC range for each file object.

       -L     specifies that the following argument is a MAC alias
              specifying the MAC range lower bound.

       -H     specifies that the following argument is a MAC alias
              specifying the MAC range upper bound.

       -o     Specify the object type.  If you use this option but omit
              object, setrange uses the default objects listed below.  The
              values for objtype, the objects associated with them, and the
              specification format for the objects are also listed below.

              Value   Object   Format     Default
              f       file     filename   Working directory (.)

              If you omit -o and specify one or more objects, the default
              object type is f (file).

              Note that UNIX-domain sockets are file objects.

       -I     Read MAC range entries from the specified file (- indicates
              stdin).

              If you specify no object arguments, setrange tries to set the
              MAC range of each object specified in the -I input source to
              the associated MAC range in the -I input source.

              If you specify object arguments, setrange tries to set the MAC
              range of each object argument to the first MAC range described
              in the input source.

EXAMPLES
       $ setrange impllo implhi /dir1/abc
              sets the MAC range of lower bound impllo to upper bound
              implhi on the file /dir1/abc.

       $ setrange -L sessionlo -H sessionlo /dir1/abc
              sets the MAC range of sessionlo to sessionlo on the file
              /dir1/abc.  Note that both the lower and upper bounds are the
              same label.  This is allowed, since the only restriction on
              the bounds is that the upper bound dominate the lower bound,
              and two labels that are equal also dominate each other (that
              is the definition of two labels being equal).

DIAGNOSTICS
       Setrange writes all diagnostic messages to stderr.

       The setrange command exits with one of the following values:

       0      The MAC ranges were successfully set on all specified files.

       1      MAC is not supported on this system.

       2      setrange could not set the MAC range on at least one of the
              specified files.  This may be because the upper bound MAC
              label does not dominate the lower bound MAC label.

       3      setrange usage is wrong.

SEE ALSO
       getmac(1), getrange(1), macd(1M), setmac(1M), dggetomac(2),
       dgsetomac(2), dgsetomaconly(2), maclibrary(3), macdefs(4M).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026