Administering Other Aspects of the Trusted Solaris Environment

This section lists other commands available for administering the Trusted Solaris operating environment.

File Management Commands

File privileges and labels can be administered either through the File Manager or the following commands:

• getfattrflag(1) - Displays a file's security attributes.

• setfattrflag(1) - Sets a file's security attributes.

• getfpriv(1) - Displays getting an executable file's forced and allowed privileges.

• setfpriv(1) - Sets an executable file's forced and allowed privileges.

• getlabel(1) - Displays getting a file's label.

• setlabel(1) - Sets a file's label.

• testfpriv(1) - Checks an executable file's forced and allowed privilege sets.

File System Management Commands

The following commands are for administering attributes on file systems.

• getfsattr(1M) - Displays the security attributes of a file system.

• getfsattr_ufs(1M) - Displays the security attributes of a UFS file system.

• setfsattr(1M) - Sets the security attributes on a file system. The file system should be unmounted first.

• newsecfs(1M) - Sets security attributes on a new file system.

Mount Management

The following commands are for mounting file systems. Check the Trusted Solaris Summary section of each man page for differences from the Solaris operating environment.

• mount(1M) - Requires the sys_mount privilege. Both mandatory and discretionary read access (or overriding privileges) are required to the mount point and the device being mounted. Depending on the configuration of the vfstab_adjunct file, the process may need some combination of the proc_setsl and proc_setclr privileges. The mount command supports mounts to multilabel directories (MLDs). It has a special option, -S which lets you specify security attributes to be associated with the file system mount (this option requires that you have sufficient clearance for the label specified).

• share_nfs(1M) - Provides these options with -S:

  • dev|nodev - Access to character and block devices is allowed or disallowed. The default is dev.

  • priv|nopriv - Forced privileges on execution are allowed or disallowed. The default is priv.

    Running share_nfs requires the following:

  • sys_nfs privilege

  • effective uid 0

  • process label of [ADMIN_LOW]

• share(1M) - Makes a resource of a specified file system type available for mounting. It requires the sys_nfs privilege.

• unshare(1M) - Makes a resource unavailable for mounting. It requires the sys_nfs privilege.

• nfsstat(1M) - Displays statistics concerning the NFS and RPC (remote procedure call) interfaces to the kernel. The Trusted Solaris version of the nfsstat command requires that you have the net_config privilege when using the -z option, which reinitializes the statistics.

• nfsd(1M) - Handles client file system requests. The Trusted Solaris version of the nfsd command requires the sys_nfs and net_mac_read privileges to run.

Process Commands

The following commands are for managing processes:

• pattr(1) - Displays the viewable Process Attribute Flags of the current process or a process specified by pid. Those flags that cannot be viewed normally can be viewed with privilege.

• pclear(1) - Displays the clearance at which the selected process is running.

• plabel(1) - Displays the CMW label (that is, combined sensitivity label and information label) for the process.

• ppriv(1) - Displays the effective privileges of a process.

• pprivtest(1) - Tests to see if the specified privileges are currently in effect.