setrange(1M) DG/UX B2 Security R4.12MU02 setrange(1M)
NAME
setrange - set mandatory access control (MAC) range
SYNOPSIS
setrange [-lqr]
{-I ifile|-L lalias -H halias|lalias halias} object ...
setrange [-lqr] -o objtype
{-I ifile|-L lalias -H halias|lalias halias} [object ...]
where:
objtype The object type of the specified objects.
ifile The name of a file containing textual MAC range
description(s). Each line is delimited by the new-line
character and must contain two aliases: lalias halias.
lalias The external text representation of the MAC range lower
bound label, which must be a MAC label alias defined in the
MAC alias database.
halias The external text representation of the MAC range upper
bound label, which must be a MAC label alias defined in the
MAC alias database.
object The name(s) of the object(s) whose MAC range setrange tries
to set.
DESCRIPTION
The setrange command sets the MAC range on an object. A valid MAC
range is composed of two MAC labels, a lower bound MAC label and an
upper bound MAC label. The upper bound MAC label must dominate the
lower bound MAC label.
When a MAC range is set on any file object other than a directory,
the MAC label of that file object is removed, and the MAC range
governs MAC access to the file object. If A MAC range is set on a
directory, the MAC label remains and continues to govern MAC access
to the directory. In order to have both a MAC label and a MAC range
on a nondirectory file object, the MAC label must be placed on the
object after the MAC range has been placed on the object.
To remove a MAC range, use the setmac -d c command to convert the
object to being governed by an implicit MAC label.
If a file object is governed by a MAC range, then a process whose
clearance dominates the upper bound has MAC read access to the
object. A process which dominates the lower bound but is dominated
by the upper bound has MAC write access to the object. A process
whose clearance is equal to the upper bound has MAC read/write access
to the object. To read the attributes of an object governed by a MAC
range, the process must have either MAC read or MAC write access to
the object (or both).
The invoker must have appropriate privilege.
Options
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-q stops setrange from writing diagnostic messages. The usage
error message is always written.
-r causes setrange to recursively descend through directory file
objects, setting the MAC range for each file object.
-L specifies that the following argument is a MAC alias
specifying the MAC range lower bound.
-H specifies that the following argument is a MAC alias
specifying the MAC range upper bound.
-o Specify the object type. If you use this option but omit
object, setrange uses the default objects listed below. The
values for objtype, the objects associated with them, and the
specification format for the objects are also listed below.
Value Object Format Default
f file filename Working directory (.)
If you omit -o and specify one or more objects, the default
object type is f (file).
Note that UNIX-domain sockets are file objects.
-I Read MAC range entries from the specified file (- indicates
stdin).
If you specify no object arguments, setrange tries to set the
MAC range of each object specified in the -I input source to
the associated MAC range in the -I input source.
If you specify object arguments, setrange tries to set the MAC
range of each object argument to the first MAC range described
in the input source.
EXAMPLES
$ setrange impllo implhi /dir1/abc
sets the MAC range of lower bound impllo to upper bound
implhi on the file /dir1/abc.
$ setrange -L sessionlo -H sessionlo /dir1/abc
sets the MAC range of sessionlo to sessionlo on the file
/dir1/abc. Note that both the lower and upper bounds are the
same label. This is allowed, since the only restriction on
the bounds is that the upper bound dominate the lower bound,
and two labels that are equal also dominate each other (that
is the definition of two labels being equal).
DIAGNOSTICS
Setrange writes all diagnostic messages to stderr.
The setrange command exits with one of the following values:
0 The MAC ranges were successfully set on all specified files.
1 MAC is not supported on this system.
2 setrange could not set the MAC range on at least one of the
specified files. This may be because the upper bound MAC
label does not dominate the lower bound MAC label.
3 setrange usage is wrong.
SEE ALSO
getmac(1), getrange(1), macd(1M), setmac(1M), dggetomac(2),
dgsetomac(2), dgsetomaconly(2), maclibrary(3), macdefs(4M).
Licensed material--property of copyright holder(s)