MAC Security Attributes
The tsolinfo(4) file contains entries associated with package objects that require special security attributes. If a package object does not have any tsolinfo entries associated with it, it is assigned a default set of security attributes derived from the file system where the package is finally installed. This file can contain one or more entries per package object in the following format, where all fields in the format are required for each entry.
attribute_name object_name attribute_value
Here is a list of possible attribute names, what they mean, and how to specify them.
|
Attribute Name |
Description |
Attribute Value |
|---|---|---|
|
forced_privs |
Package object forced privileges |
Comma-separated list of privileges. |
|
allowed_privs |
Package object allowed privileges |
Comma-separated list of privileges. |
|
public |
Package object is public. |
No attribute value. |
|
mld |
Package object is a multilevel directory |
No attribute value |
The following example tsolinfo(4) file entries specify security attributes for the sendmail(1M) package objects.
|
Attribute Name |
Package Object Name |
Attribute value |
|---|---|---|
|
mld |
var/spool.mail |
|
|
mld |
var/mail |
|
|
mld |
var/tmp |
|
|
allowed_privs |
usr/lib/sendmail |
all |
|
forced_privs |
usr/lib/sendmail |
file_mac_write |
|
label |
etc/security/tsol |
[admin_high] |
Description
-
The var/spool/mail, var/mail, and var/tmp package objects are multilevel directories. The MLD attribute has no attribute values.
-
The /usr/lib/sendmail object has All system privileges in its allowed privilege set.
-
The /usr/lib/sendmail object has a comma-separated list of privileges in its forced set.
-
The etc/security/tsol file has a CMW label in brackets, ADMIN_HIGH.
- © 2010, Oracle Corporation and/or its affiliates