Specifying Security Attributes on Fixed File Systems
When mounting a fixed-attribute file system, the Security Administrator role can specify security attributes on the command line with the mount(1M) command, in the vfstab_adjunct(4) file, or in the /etc/auto_master file other autofs maps (see automount(1M)).
Note -
In the mount command, most of the keyword=value pairs used to specify security attributes with the -S can be specified with the -o option. If a keyword is followed by multiple values separated by commas, the keyword must be specified with the-S option becauses comma-separated values are not allowed after -o. Use of the -o option is preferable. For more about the security-related mount options that can be specified with the -o option, see "Mount Options Used for Protection ".
Any attributes specified at mount time are applied to all the files and directories in the mounted file system, if the files or directories themselves do not have the attribute. Any attributes on the file or directory are used. If the file or directory does not have an attribute and none is specified at mount-time, the defaults shown in Table 9-3 apply.
In fixed attribute file systems, the security attributes cannot change on an object as long as the object resides in the file system.
If, for example, the mounted file system /spare contains a file called test, no one can change the label of /spare/test. However, if /spare/test is copied into another directory such as /tmp or /export/home/secadmin, its label can be changed.
The following table shows the attributes that can be specified for a fixed attribute file system when the file system does not support the attribute, and the default vales that apply if no value for the attribute is supplied.
Table 9-3 Attributes Assignable to Fixed File Systems|
Attribute |
-S or -o Option Keyword to Use When Mounting |
Default Values |
|---|---|---|
|
MLD prefix |
mld_prefix |
.MLD. |
|
Label Range |
low_range, high_range |
|
|
Label |
slabel= |
Mounted from a CD-ROM or floppy disk - the label of the mounting process Mounted from an NFS server - the default label of the server in the tnrhdb database |
|
Forced Privilege Set |
forced= |
None |
|
Allowed Privilege Set |
allowed= |
None |
The following example shows a command line to NFS-mount a fixed attribute file system called /spare from an NFS server running the Solaris operating environment. The server is called outside. /spare is mounted with a label of INTERNAL_USE_ONLY using mount with the -S option on the command line as shown here:
$ mount -F nfs -S "slabel=INTERNAL_USE_ONLY" outside:/spare /spare |
- © 2010, Oracle Corporation and/or its affiliates