Specifying Security Attributes on Files and Directories
The Trusted Solaris File Manager enables users and administrators to change permissions on files and directories. It also enables authorized users and administrators to set privileges and labels on files and directories. Authorizations are required to change privileges and labels. Additional authorizations are required when the change is outside DAC or MAC policy.
Changing Labels and Privileges
The File Manager Selected menu has a Change Labels option to set the label. A user or role that has the setlabel(1) command in one of its profiles can also change labels. The File Manager Selected menu also has a Change Privileges option to set forced and allowed privileges on executable files. Changing forced and allowed privileges can also be done on the command line by any account that has the setfpriv(1) command in one of its profiles.
The following authorizations are required in order to set privileges and labels through the File Manager Selected menu options:
-
Setting privileges requires the Set File Privileges authorization.
-
Upgrading file and directory labels requires the Upgrade File Label authorization.
-
Downgrading file and directory labels requires the Downgrade File Label authorization.
The following figure shows the File Manager Selected menu when the account has the required authorizations. See "To Change Labels and Privileges With the File Manager" for how to change labels and privileges.
Figure 9-1 File Manager Selected Menu for an Authorized User
Changing File and Directory Attribute Flags
The getfattrflag(1) command gets the security attribute flags of a file or directory and the setfattrflag(1) command sets the public object flag on a file and sets the MLD flag on a directory.
- © 2010, Oracle Corporation and/or its affiliates