dg_cvt_to_implicit(2) DG/UX B2 Security R4.12MU02 dg_cvt_to_implicit(2)
NAME
dgcvttoimplicit - convert the mandatory access control (MAC) label
of the file object from explicit to implicit
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/mac.h>
int dgcvttoimplicit(targtype, targ)
int targtype;
const void *targ;
where:
targtype A token that identifies the type of object whose explicit
MAC label is to be converted to implicit. The available
tokens are defined in sys/dgtparms.h as follows:
TFILE The object is a file identified by a pathname.
TSYMLINK
The object is a symbolic link identified by a
pathname.
targ The address of the identifier of the object whose explicit
MAC label is to be converted to implicit. The value of
targtype determines the type of entity that targ points
to as follows:
TFILE targ points to a pathname string.
TSYMLINK
targ points to a pathname string.
DESCRIPTION
The dgcvttoimplicit system call converts an explicit mandatory
access control (MAC) label to an implicit MAC label. Note that this
causes the file to inherit its MAC label, and thus may cause the
label to change.
ACCESS CONTROL
To convert the MAC label of an object to be implicit, the process
must have appropriate privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call. On
systems without the Capability Option, appropriate privilege means
that the process has an effective UID of root. See the
appropriateprivilege(5) man page for more information.
To set the MAC label of an object, the process must have MAC write
access to the new label. The process must also have MAC read access
to the file's parent directory, and have search access to the file's
parent directory path.
RETURN VALUE
0 Successful completion.
-1 An error occurred. errno is set to indicate the error.
ERRORS
Errno may be set to one of the following error codes:
ENOENT The caller does not have sufficient privilege or the
file does not exist.
ENAMETOOLONG A component of the pathname pointed at by targ exceeds
the length limit for filenames.
EFAULT One of the parameters specified an area of memory not
accessible to the calling process.
ENOMEM The operating system was unable to allocate sufficient
internal memory to process the system call.
EMLINK The target was not a directory, and it had more than
one link.
EINVAL Invalid parameter passed.
EOPNOTSUPP The operation is not supported for the specified
targtype or object.
ENOSYS The system is not configured for MAC.
EPERM The caller does not have appropriate privilege.
EACCES The caller does not have the required access rights to
the object.
EBUSY The file object named by path is currently in use by
another process.
SEE ALSO
dggetomac(1M), dgsetomac(2), dgsettmpomac(2), dgsetomaconly(2),
capdefaults(5), macdefs(5).
NOTES
Any nondirectory file system object that has more than a single link
to it must have an explicit label. Otherwise, it would be possible
for the file to inherit a different MAC label based upon the path to
the object. Directories always have more than one link to them from
their children, but the DG/UX operating system does not allow more
than a single nonchild link to a directory.
Licensed material--property of copyright holder(s)