settuple(1M) DG/UX B2 Security R4.12MU02 settuple(1M)
NAME
settuple - set mandatory access control (MAC) tuple
SYNOPSIS
settuple [-lqr] [-o objtype]
{[-A adminalias] [-U useralias] [-V vpalias]} [object ...]
settuple [-lqr] [-o objtype] [-i] tuplealias [object ...]
settuple [-lqr] [-o objtype] -I ifile [object ...]
settuple [-lqr] [-o objtype] [-d regionspec] [object ...]
where:
objtype The object type of the specified objects.
ifile The name of a file containing textual MAC tuple
description(s). Each line is delimited by the new-line
character and must contain at least one MAC range alias.
adminalias
The external text representation of a MAC range in the
administrative (admin) region.
useralias
The external text representation of a MAC range in the user
region.
vpalias The external text representation of a MAC range in the
virus prevention (vp) region.
tuplealias
The external text representation of a complete MAC tuple.
regionspec
A list of MAC region flags.
object The name(s) of the object(s) whose MAC tuple settuple tries
to set.
DESCRIPTION
The settuple command sets the MAC tuple on an object. A valid MAC
tuple is composed of two, four or six MAC labels, where each pair of
labels represents one MAC range of the tuple. See the descriptions
of the adminalias, useralias, vpalias and tuplealias arguments,
below, for details on the syntax of these specifications.
When a MAC tuple is set on any file object other than a directory,
the MAC label of that file object is removed, and the MAC tuple
governs MAC access to the file object. If a MAC tuple is set on a
directory, the MAC label remains and continues to govern MAC access
to the directory. In order to have both a MAC label and a MAC tuple
on a nondirectory file object, the MAC label must be placed on the
object after the MAC tuple has been placed on the object.
To remove a MAC tuple, use the setmac -d c command to convert the
object to being governed by an implicit MAC label.
The invoker must have appropriate privilege.
The adminalias, useralias, and vpalias arguments must specify a
valid MAC range alias. The MAC range alias must contain a lo and hi
MAC label alias within quotes. The MAC range alias may be specified
in any of the following ways:
"<lo MAC alias> <hi MAC alias>"
"<hi MAC alias> <lo MAC alias>"
"-L <lo MAC alias> -H <hi MAC alias>"
"-H <hi MAC alias> -L <lo MAC alias>"
If the -L and -H are omitted, the MAC aliases can be specified in
either order. The MAC alias which dominates the other will be
treated as the MAC range hi. If there is no dominance relationship
between the two MAC aliases, an error will occur. If the -L and -H
are specified, the MAC aliases will be treated as specified, with
respect to the lo and hi values. Both the lo and hi values must be
in the same MAC region or an error will occur.
If at least one of adminalias, useralias or vpalias is specified,
the MAC ranges in the specified regions will be updated but the
values of the other regions in the tuple will be unchanged. For
example, if an adminalias and a vpalias are specified, the admin
region MAC range and vp region MAC range of the tuple will be updated
accordingly, but the user region MAC range will remain unchanged.
The tuplealias argument must specify a valid MAC tuple alias. A
valid MAC tuple alias consists of one, two or three valid MAC range
aliases within quotes. There must be at most one MAC range in each
MAC region and the ranges can be specified in any order. If
tuplealias is used instead of separate region MAC ranges through the
-A, -U, or -V options, the entire MAC tuple will be replaced with the
specified alias. So, if the target has a vp region MAC range in its
MAC tuple, for example, and tuplealias contains only an admin region
and user region MAC range, the vp region range will be removed from
the target's tuple.
Options
-i Use tuplealias as the tuple to set on the object(s). The -i
option is only necessary if tuplealias begins with a hyphen
(-), such as "-L user_lo -H user_hi." In this case, the -i is
needed to prevent settuple from thinking that the "-L" in the
tuple alias is an option. If tuplealias does not begin with
a hyphen (-) the -i option can be omitted.
-A adminalias
specifies the text representation of the administrative region
MAC range for the tuple.
-U useralias
specifies the text representation of the user region MAC range
for the tuple.
-V vpalias
specifies the text representation of the virus prevention
region MAC range for the tuple.
-l If target is a symbolic link, operate on the link. The
default behavior is to operate on the object that the link
references.
-q stops settuple from writing diagnostic messages. The usage
error message is always written.
-r causes settuple to recursively descend through directory file
objects, setting the MAC tuple for each file object.
-d regionspec
causes settuple to remove the MAC range in the region(s)
specified in regionspec from the tuple of the specified
target(s). Note that you may not remove the last range in a
MAC tuple. If removing the specified ranges will leave an
empty MAC tuple, an error will occur. regionspec is a
combination of one of more of the following flags:
A Specifies the administrative region MAC range.
U Specifies the user region MAC range.
V Specifies the virus prevention region MAC range.
-o specifies the object type. If you use this option but omit
object, settuple uses the default objects listed below. The
values for objtype, the objects associated with them, and the
specification format for the objects are also listed below.
Value Object Format Default
f file filename Working directory (.)
p process pid number Invoking process ID (0)
m shared memory shared memory ID 0
s semaphore semaphore set ID 0
q message queue message queue ID 0
If you omit -o and specify one or more objects, the default
object type is f (file).
Note that UNIX-domain sockets are file objects.
-I reads MAC tuple entries from the specified file (- indicates
stdin).
Each line in ifile is delimited by the newline character. The
file can contain the entire MAC tuple alias on one line, or
each line can contain a valid MAC range alias. Quotes are not
necessary in ifile.
EXAMPLES
$ settuple "vplo vphi userlo userhi" /dir1/abc
sets the MAC tuple on the file /dir/abc to have a vp MAC range
of vplo to vphi and a user MAC range of userlo to userhi.
The file will have no admin MAC range.
$ settuple -A "-L adminlo -H adminhi" /dir1/abc
sets the admin MAC range of the MAC tuple on the file
/dir1/abc to adminlo to adminhi. The other ranges in the
tuple will be unchanged.
$ settuple -V "vplo vphi" -A "adminlo adminlo"
sets the vp MAC range of the MAC tuple of the invoking process
to vplo to vphi and the admin MAC range of the same tuple to
adminlo to adminlo. The user MAC range of the tuple will be
unchanged.
DIAGNOSTICS
settuple writes all diagnostic messages to stderr.
The settuple command exits with one of the following values:
0 The MAC tuples were successfully set on all specified objects.
1 MAC is not supported on this system.
2 settuple could not set the MAC tuple on at least one of the
specified objects.
3 settuple usage is wrong.
SEE ALSO
getmac(1), setmac(1M), gettuple(1M), dggetomac(2), dgsetomac(2),
dgcvttoimplicit(2), dggettuple(2), dgsettuple(2), macd(1M),
maclibrary(3), macdefs(4M).
Licensed material--property of copyright holder(s)