Man Pages (4): File Formats

device_allocate(4)

NAME

device_allocate- Device allocate in permissions

SYNOPSIS

/etc/security/device_allocate

DESCRIPTION

The device_allocate file contains mandatory access control information about each physical device. Each device is represented by a one-line entry of the form:

device-name;device-type;device-minimum;device-maximum;device-authorization;device-clean

where

device-name: This is an arbitrary text string naming the physical device. This field contains no embedded white space or non-printable characters.
device-type: This is an arbitrary text string naming the generic device type. This field identifies and groups together devices of like type. This field contains no embedded white space or non-printable characters.
device-minimum: This is the minimum sensitivity label allowed for the device special files associated with the physical device. This field is a hex label.
device-maximum: This is the maximum sensitivity label allowed for the device special files associated with the physical device. This field is a hex label.
device-authorization: This is a comma-separated list of authorization numbers required to allocate the device, or an * to indicate that the device is not allocatable, or an @ to indicate that no explicit authorization is needed to allocate the device.
device-clean: This is the physical device's data purge program to be run any time the device is acted on by allocate(1M). This is to ensure that all usable data is purged from the physical device before it is reused. This field contains the filename of a program in /etc/security/lib.

The device_allocate file is a text file that resides in the /etc/security directory. The device_allocate file should not be edited by hand. The designated administrative role uses the Add Allocatable Device action to add a device and the Device Allocation Manager Configure dialog for modifications to a device. These tools preserve the desired file permissions, owner, group, and label, and audit all changes.

Lines in device_allocate can end with a \\ to continue an entry on the next line.

Comments may also be included. A # makes a comment of all further text until the next NEWLINE not immediately preceded by a \.

Leading and trailing blanks are allowed in any of the fields.

The device_allocate file must be created by the system administrator before device allocation is enabled.

The device_allocate file is owned by root, with a group of root, a mode of 0644, and a label of ADMIN_LOW.

EXAMPLES

Example 1 Sample Device Allocate File

mag_tape_0; \
st;0x00000000000000000000000000000000000000000000000000000000000000000000; \
0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff; \
10;/etc/security/lib/st_clean floppy_0;fd; \
0x00000000000000000000000000000000000000000000000000000000000000000000; \
0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff; \
10;etc/security/lib/disk_clean

FILES

/etc/security/device_allocate: List of allocatable devices.

SUMMARY OF TRUSTED SOLARIS CHANGES

Devices are labeled, and by default require authorization for allocating and deallocating.

Trusted Solaris 7 Reference Manual

allocate(1M), deallocate(1M), list_devices(1M)

Trusted Solaris 7 Last Revised 30 Aug 1999