mac_defs(4M) DG/UX B2 Security R4.12MU02 mac_defs(4M)
NAME
macdefs, maclabeldefs, macaliasdefs - mac alias definitions
DESCRIPTION
macd requires both maclabeldefs and macaliasdefs.
The maclabeldefs file defines:
1) the current MAC label type,
2) each hierarchy name, its abbreviation and value,
3) each category name, its abbreviation and value,
4) the basic system defined MAC label aliases.
The MAC label type field is reserved for future use by Data General;
its default value is 1. Hierarchy, category and alias names and
abbreviations must be unique. Hierarchy and category names must map
to unique values, but more than one MAC label alias can map to the
same MAC label.
NOTE: MAC label aliases must be unique. If they are not unique, or
if any other error is present in the MAC alias files, then
macd will fail the next time it reads these files. To ensure
that the MAC aliases are valid, either use the sysadm
functions to update these files, or use the macd -V option to
verify the files prior to invoking macd with them.
maclabeldefs file syntax is as follows:
Comments begin with a number sign (#) and end at the end of the line.
The first section defines the MAC label type and begins with *type.
The next line must contain a decimal number indicating the current
MAC label type.
The second section defines the MAC hierarchies and begins with
*hierarchy. Subsequent lines have the following format:
hier hierabbrev hiervalue
where hier is the full hierarchy name, hierabbrev is the hierarchy
name abbreviation, and hiervalue is a positive decimal number (or
zero) within the range of the currently valid hierarchies.
The following are examples of hierarchy definitions:
TOPSECRET TS 125
SECRET SEC 100
CONFIDENTIAL CONF 75
UNCLASSIFIED UNCLASS 50
The third section defines the MAC categories and begins with
*category. Subsequent lines have the following format:
cat catabbrev decimalvalue
where cat is the full category name, catabbrev is the category name
abbreviation, and catvalue is a positive decimal number (or zero)
within the range of the currently valid categories.
The following are examples of hierarchy definitions:
FINANCE FIN 2
MEDICAL MED 4
PERSONNEL PERS 6
ROSTER ROS 7
INS IN 21
PIPES PI 88
BOB BB 99
ANTENNAS ANTS 100
The fourth and final section defines the basic MAC label aliases and
begins with *general. Subsequent lines have the following format:
alias aliasabbrev MAClabeldefn
where alias is the full MAC label alias, aliasabbrev is the MAC
label alias abbreviation and MAClabeldefn is:
hier|alias catdefn
where catdefn is:
: catalias [ catdefn ]
:( catalias { , catalias } ) [ catdefn ]
where catalias is:
NONE
ALL
cat
The following are examples of MAC label alias definitions:
SESSIONHI SESHI TOPSECRET:ALL
SESSIONLO SESLO UNCLASSIFIED:NONE
HUMANRESOURCES HR CONFIDENTIAL:(FINANCE,MEDICAL,PERSONNEL,ROSTER)
ALIENRESOURCES AR SECRET:INS:(PIPES,BOB):ANTENNAS
where TOPSECRET, UNCLASSIFIED, CONFIDENTIAL, and SECRET are
previously defined hierarchy names, and FINANCE, MEDICAL, PERSONNEL,
ROSTER, INS, PIPES, BOB, and ANTENNAS are previously defined category
names.
NOTE: A hierarchy alias by itself considered to be shorthand for the
MAC label definition hier:NONE. The following aliases
describe the same MAC label:
SESSIONLO
SESLO
UNCLASSIFIED:NONE
UNCLASS:NONE
UNCLASSIFIED
UNCLASS
The macaliasdefs file defines additional MAC label aliases which
are more subject to change than the definitions in maclabeldefs.
The macaliasdefs file has no labeled sections. Its syntax allows
comments and MAC label definitions.
FILES
/etc/tcb/mac/maclabeldefs MAC label definitions file
/etc/tcb/mac/macaliasdefs MAC alias definitions file
SEE ALSO
macd(1M).
NOTES AND WARNINGS
It is strongly recommended that once the system administrator has
fixed an initial version of MAC definitions in maclabeldefs and
macaliasdefs, he only add new hierarchy, category, and alias
definitions to the existing ones. It is possible to delete aliases
in macaliasdefs unconditionally. It is also possible to delete
hierarchies and categories from maclabeldefs provided you comment
them out and do not reuse the values and eliminate all references to
them. Also note that objects which have MAC labels with categories
that no longer exist are accessible only by appropriately privileged
subjects.
Licensed material--property of copyright holder(s)