Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ settuple(1M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

getmac(1)

setmac(1M)

gettuple(1M)

macd(1M)



settuple(1M)             DG/UX B2 Security R4.12MU02            settuple(1M)


NAME
       settuple - set mandatory access control (MAC) tuple

SYNOPSIS
       settuple [-lqr] [-o objtype]
              {[-A adminalias] [-U useralias] [-V vpalias]} [object ...]

       settuple [-lqr] [-o objtype] [-i] tuplealias [object ...]

       settuple [-lqr] [-o objtype] -I ifile [object ...]

       settuple [-lqr] [-o objtype] [-d regionspec] [object ...]

   where:
       objtype  The object type of the specified objects.
       ifile     The name of a file containing textual MAC tuple
                 description(s).  Each line is delimited by the new-line
                 character and must contain at least one MAC range alias.
       adminalias
                 The external text representation of a MAC range in the
                 administrative (admin) region.
       useralias
                 The external text representation of a MAC range in the user
                 region.
       vpalias  The external text representation of a MAC range in the
                 virus prevention (vp) region.
       tuplealias
                 The external text representation of a complete MAC tuple.
       regionspec
                 A list of MAC region flags.
       object    The name(s) of the object(s) whose MAC tuple settuple tries
                 to set.

DESCRIPTION
       The settuple command sets the MAC tuple on an object.  A valid MAC
       tuple is composed of two, four or six MAC labels, where each pair of
       labels represents one MAC range of the tuple.  See the descriptions
       of the adminalias, useralias, vpalias and tuplealias arguments,
       below, for details on the syntax of these specifications.

       When a MAC tuple is set on any file object other than a directory,
       the MAC label of that file object is removed, and the MAC tuple
       governs MAC access to the file object.  If a MAC tuple is set on a
       directory, the MAC label remains and continues to govern MAC access
       to the directory.  In order to have both a MAC label and a MAC tuple
       on a nondirectory file object, the MAC label must be placed on the
       object after the MAC tuple has been placed on the object.

       To remove a MAC tuple, use the setmac -d c command to convert the
       object to being governed by an implicit MAC label.

       The invoker must have appropriate privilege.

       The adminalias, useralias, and vpalias arguments must specify a
       valid MAC range alias.  The MAC range alias must contain a lo and hi
       MAC label alias within quotes.  The MAC range alias may be specified
       in any of the following ways:
                     "<lo MAC alias> <hi MAC alias>"
                     "<hi MAC alias> <lo MAC alias>"
                     "-L <lo MAC alias> -H <hi MAC alias>"
                     "-H <hi MAC alias> -L <lo MAC alias>"

       If the -L and -H are omitted, the MAC aliases can be specified in
       either order.  The MAC alias which dominates the other will be
       treated as the MAC range hi.  If there is no dominance relationship
       between the two MAC aliases, an error will occur.  If the -L and -H
       are specified, the MAC aliases will be treated as specified, with
       respect to the lo and hi values.  Both the lo and hi values must be
       in the same MAC region or an error will occur.

       If at least one of adminalias, useralias or vpalias is specified,
       the MAC ranges in the specified regions will be updated but the
       values of the other regions in the tuple will be unchanged.  For
       example, if an adminalias and a vpalias are specified, the admin
       region MAC range and vp region MAC range of the tuple will be updated
       accordingly, but the user region MAC range will remain unchanged.

       The tuplealias argument must specify a valid MAC tuple alias.  A
       valid MAC tuple alias consists of one, two or three valid MAC range
       aliases within quotes.  There must be at most one MAC range in each
       MAC region and the ranges can be specified in any order.  If
       tuplealias is used instead of separate region MAC ranges through the
       -A, -U, or -V options, the entire MAC tuple will be replaced with the
       specified alias.  So, if the target has a vp region MAC range in its
       MAC tuple, for example, and tuplealias contains only an admin region
       and user region MAC range, the vp region range will be removed from
       the target's tuple.

   Options
       -i     Use tuplealias as the tuple to set on the object(s).  The -i
              option is only necessary if tuplealias begins with a hyphen
              (-), such as "-L user_lo -H user_hi."  In this case, the -i is
              needed to prevent settuple from thinking that the "-L" in the
              tuple alias is an option.  If tuplealias does not begin with
              a hyphen (-) the -i option can be omitted.

       -A adminalias
              specifies the text representation of the administrative region
              MAC range for the tuple.

       -U useralias
              specifies the text representation of the user region MAC range
              for the tuple.

       -V vpalias
              specifies the text representation of the virus prevention
              region MAC range for the tuple.

       -l     If target is a symbolic link, operate on the link.  The
              default behavior is to operate on the object that the link
              references.

       -q     stops settuple from writing diagnostic messages.  The usage
              error message is always written.

       -r     causes settuple to recursively descend through directory file
              objects, setting the MAC tuple for each file object.

       -d regionspec
              causes settuple to remove the MAC range in the region(s)
              specified in regionspec from the tuple of the specified
              target(s).  Note that you may not remove the last range in a
              MAC tuple.  If removing the specified ranges will leave an
              empty MAC tuple, an error will occur.  regionspec is a
              combination of one of more of the following flags:
              A      Specifies the administrative region MAC range.
              U      Specifies the user region MAC range.
              V      Specifies the virus prevention region MAC range.

       -o     specifies the object type.  If you use this option but omit
              object, settuple uses the default objects listed below.  The
              values for objtype, the objects associated with them, and the
              specification format for the objects are also listed below.

              Value   Object          Format             Default
              f       file            filename           Working directory (.)
              p       process         pid number         Invoking process ID (0)
              m       shared memory   shared memory ID   0
              s       semaphore       semaphore set ID   0
              q       message queue   message queue ID   0

              If you omit -o and specify one or more objects, the default
              object type is f (file).

              Note that UNIX-domain sockets are file objects.

       -I     reads MAC tuple entries from the specified file (- indicates
              stdin).

              Each line in ifile is delimited by the newline character.  The
              file can contain the entire MAC tuple alias on one line, or
              each line can contain a valid MAC range alias.  Quotes are not
              necessary in ifile.

EXAMPLES
       $ settuple "vplo vphi userlo userhi" /dir1/abc
              sets the MAC tuple on the file /dir/abc to have a vp MAC range
              of vplo to vphi and a user MAC range of userlo to userhi.
              The file will have no admin MAC range.

       $ settuple -A "-L adminlo -H adminhi" /dir1/abc
              sets the admin MAC range of the MAC tuple on the file
              /dir1/abc to adminlo to adminhi.  The other ranges in the
              tuple will be unchanged.

       $ settuple -V "vplo vphi" -A "adminlo adminlo"
              sets the vp MAC range of the MAC tuple of the invoking process
              to vplo to vphi and the admin MAC range of the same tuple to
              adminlo to adminlo.  The user MAC range of the tuple will be
              unchanged.

DIAGNOSTICS
       settuple writes all diagnostic messages to stderr.

       The settuple command exits with one of the following values:

       0      The MAC tuples were successfully set on all specified objects.

       1      MAC is not supported on this system.

       2      settuple could not set the MAC tuple on at least one of the
              specified objects.

       3      settuple usage is wrong.

SEE ALSO
       getmac(1), setmac(1M), gettuple(1M), dggetomac(2), dgsetomac(2),
       dgcvttoimplicit(2), dggettuple(2), dgsettuple(2), macd(1M),
       maclibrary(3), macdefs(4M).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026