Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dg_setomac_only(2) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought



dg_setomac_only(2)       DG/UX B2 Security R4.12MU02      dg_setomac_only(2)


NAME
       dgsetomaconly - set object's mandatory access control (MAC) label
       without changing children's implicit label status

SYNOPSIS
       #include <sys/types.h>
       #include <sys/dgtparms.h>
       #include <sys/mac.h>

       int dgsetomaconly(targtype, targ, label, labsize, textmac, txtmacsize)
       int                targtype;
       const void         *targ;
       maclabelstructt *label;
       int                labsize;
       char               *textmac;
       int                txtmacsize;

   where:
       targtype    A token that identifies the type of object whose MAC
                   label is to be set.  The available tokens are defined in
                   sys/dgtparms.h as follows:
                      TFILE  The object is a file identified by a pathname.
                      TFD    The object is a file identified by a file
                              descriptor.
                      TSYMLINK
                              The object is a symbolic link identified by a
                              pathname.

       targ        The address of the identifier of the object whose MAC
                   label is to be set.  The value of targtype determines the
                   type of entity that targ points to as follows:
                      TFILE  targ points to a pathname string.
                      TFD    targ points to a file descriptor.
                      TSYMLINK
                              targ points to a pathname string.

       label       The address of a maclabelstructt structure that
                   contains the valid MAC label being set on the file.

       labsize     The size in bytes of the binary MAC label structure.

       textmac     The ASCII text version of the binary MAC label.  To avoid
                   a stack error, the caller must supply the textmac
                   parameter even if the MAC label's text version does not
                   exist.  If no text MAC label exists, the txtmacsize
                   parameter points to zero, and textmac is not
                   dereferenced.

       txtmacsize  The size in bytes of the text MAC label.  If this
                   parameter is zero, dgsetomaconly assumes that there is
                   no text MAC label to be set.

       The labsize, textmac, and txtmacsize parameters are currently unused.

DESCRIPTION
       The dgsetomaconly system call sets the mandatory access control
       (MAC) label for the object identified by targtype and targ to the
       label pointed to by label.  Unlike dgsetomac(2), if the object is a
       directory, dgsetomaconly does not set explicit MAC labels on those
       of the directory's children that have implicit MAC labels.  Thus,
       those children with implicit MAC labels will have their MAC labels
       changed to the new label of the parent directory.

       Warning: This function should only be used when there are no users
                accessing the file system being manipulated.  Although
                dgsetomaconly sets the MAC label on the target directory,
                the descendants that have inheritied their MAC label from
                the target and are in memory will not have their labels
                changed.  There labels will change later when the inodes are
                read into memory again from the disk, either because the old
                vnodes had been flushed from memory or because the disk had
                been unmounted and remounted.  This function is intended for
                a very specific administrative function.  Data General
                recommends that as well as ensuring that no users are
                accessing the file system, that the file system be unmounted
                and remounted prior to letting users access it.

       dgsetomaconly will fail if the target is a a hidden directory.

ACCESS CONTROL
       To set the MAC label of an object, the process must have appropriate
       privilege.

       For systems supporting the DG/UX Capability Option, appropriate
       privilege is defined as having one or more specific capabilities
       enabled in the effective capability set of the calling process.  See
       capdefaults(5) for the default capability for this system call.  On
       systems without the Capability Option, appropriate privilege means
       that the process has an effective UID of root. See the
       appropriateprivilege(5) man page for more information.

       To set the MAC label of the object, a process must have MAC write
       access to the new label.

       Refer to Managing Security on the DG/UX System for more information
       on MAC labels.

RETURN VALUE
       0      Successful completion.
       -1     An error occurred.  errno is set to indicate the error.

EXCEPTIONS
       Errno may be set to one of the following error codes:

       EINVAL        The MAC label pointed to by label was invalid.

       ENOENT        The file does not exist.

       EROFS         The file resides on a read-only file system.

       ENAMETOOLONG  A component of the pathname exceeds the length limit
                     for filenames.

       EFAULT        The label parameter specified an area of memory not
                     accessible to the calling process.

       ENOMEM        The operating system was unable to allocate internal
                     memory to process the system call.

       EPERM         The caller did not have appropriate privilege.

       ENOSYS        MAC is not configured on the system.

       EACCES        The caller does not have the required access rights to
                     the object.

       EOPNOTSUPP    This operation is not supported on the targtype or
                     targ is a hidden directory.

       EBUSY         The file object named by path is currently in use by
                     another process.

SEE ALSO
       dggetomac(2), dgsetomac(2), dgsettmpomac(2), capdefaults(5),
       macdefs(5).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026