dg_setomac_only(2) DG/UX B2 Security R4.12MU02 dg_setomac_only(2)
NAME
dgsetomaconly - set object's mandatory access control (MAC) label
without changing children's implicit label status
SYNOPSIS
#include <sys/types.h>
#include <sys/dgtparms.h>
#include <sys/mac.h>
int dgsetomaconly(targtype, targ, label, labsize, textmac, txtmacsize)
int targtype;
const void *targ;
maclabelstructt *label;
int labsize;
char *textmac;
int txtmacsize;
where:
targtype A token that identifies the type of object whose MAC
label is to be set. The available tokens are defined in
sys/dgtparms.h as follows:
TFILE The object is a file identified by a pathname.
TFD The object is a file identified by a file
descriptor.
TSYMLINK
The object is a symbolic link identified by a
pathname.
targ The address of the identifier of the object whose MAC
label is to be set. The value of targtype determines the
type of entity that targ points to as follows:
TFILE targ points to a pathname string.
TFD targ points to a file descriptor.
TSYMLINK
targ points to a pathname string.
label The address of a maclabelstructt structure that
contains the valid MAC label being set on the file.
labsize The size in bytes of the binary MAC label structure.
textmac The ASCII text version of the binary MAC label. To avoid
a stack error, the caller must supply the textmac
parameter even if the MAC label's text version does not
exist. If no text MAC label exists, the txtmacsize
parameter points to zero, and textmac is not
dereferenced.
txtmacsize The size in bytes of the text MAC label. If this
parameter is zero, dgsetomaconly assumes that there is
no text MAC label to be set.
The labsize, textmac, and txtmacsize parameters are currently unused.
DESCRIPTION
The dgsetomaconly system call sets the mandatory access control
(MAC) label for the object identified by targtype and targ to the
label pointed to by label. Unlike dgsetomac(2), if the object is a
directory, dgsetomaconly does not set explicit MAC labels on those
of the directory's children that have implicit MAC labels. Thus,
those children with implicit MAC labels will have their MAC labels
changed to the new label of the parent directory.
Warning: This function should only be used when there are no users
accessing the file system being manipulated. Although
dgsetomaconly sets the MAC label on the target directory,
the descendants that have inheritied their MAC label from
the target and are in memory will not have their labels
changed. There labels will change later when the inodes are
read into memory again from the disk, either because the old
vnodes had been flushed from memory or because the disk had
been unmounted and remounted. This function is intended for
a very specific administrative function. Data General
recommends that as well as ensuring that no users are
accessing the file system, that the file system be unmounted
and remounted prior to letting users access it.
dgsetomaconly will fail if the target is a a hidden directory.
ACCESS CONTROL
To set the MAC label of an object, the process must have appropriate
privilege.
For systems supporting the DG/UX Capability Option, appropriate
privilege is defined as having one or more specific capabilities
enabled in the effective capability set of the calling process. See
capdefaults(5) for the default capability for this system call. On
systems without the Capability Option, appropriate privilege means
that the process has an effective UID of root. See the
appropriateprivilege(5) man page for more information.
To set the MAC label of the object, a process must have MAC write
access to the new label.
Refer to Managing Security on the DG/UX System for more information
on MAC labels.
RETURN VALUE
0 Successful completion.
-1 An error occurred. errno is set to indicate the error.
EXCEPTIONS
Errno may be set to one of the following error codes:
EINVAL The MAC label pointed to by label was invalid.
ENOENT The file does not exist.
EROFS The file resides on a read-only file system.
ENAMETOOLONG A component of the pathname exceeds the length limit
for filenames.
EFAULT The label parameter specified an area of memory not
accessible to the calling process.
ENOMEM The operating system was unable to allocate internal
memory to process the system call.
EPERM The caller did not have appropriate privilege.
ENOSYS MAC is not configured on the system.
EACCES The caller does not have the required access rights to
the object.
EOPNOTSUPP This operation is not supported on the targtype or
targ is a hidden directory.
EBUSY The file object named by path is currently in use by
another process.
SEE ALSO
dggetomac(2), dgsetomac(2), dgsettmpomac(2), capdefaults(5),
macdefs(5).
Licensed material--property of copyright holder(s)