setfsattr(1M)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | USAGE | EXAMPLES | EXIT STATUS | ATTRIBUTES | SEE ALSO

NAME

setfsattr, newsecfs– set security attributes on an existing or newly created file system

SYNOPSIS

/usr/sbin/setfsattr {[-l sensitivity-level-range]| [-m MLD-prefix]| [-p allowed-privilege-set]| [-P forced-privilege-set]| [-s CMW-Label]…} {special| filesystem}
/usr/sbin/newsecfs {[-l sensitivity-level-range]| [-M]| [-m MLD-prefix]| [-o newfs options]| [-p allowed-privilege-set]| [-P forced-privilege-set]| [-s CMW-Label]…} {special| filesystem}

DESCRIPTION

The setfsattr command changes the security attributes of a file system. The file system may be specified either as a filesystem or as special, the device on which the file system resides. filesystem must be in /etc/vfstab, and it must be unmounted before setfsattr is invoked on it. setfsattr requires at least one option be specified; if not, an error is returned.

newsecfs works similarly to setfsattr except that it runs newfs(1M) on the file system prior to setting the security attributes, then sets the label on the lost+found directory to [ADMIN_HIGH].

OPTIONS

-l sensitivity-level-range

Set the filesystem sensitivity level range, a semicolon-separated pair of sensitivity labels. The labels must be valid sensitivity labels for the system. The first in the pair is the minimum sensitivity label, and it must be dominated by the second label, the maximum sensitivity label. The default is ADMIN_LOW;ADMIN_HIGH.

-M

Create the root directory of the file system as a multilevel directory (MLD). This option is available only with the newsecfs command.

-m MLD-prefix

Set the file system MLD prefix. The default is ".MLD.". The MLD prefix is the string that disables multilevel directory translation in pathname lookup.

-o newfs options

Set the file system newfs options. The options must be exactly the same as those expected by the newfs(1M) command. This option is available only with newsecfs.

-p allowed-privileges

Set the file system allowed-privilege set, specified as a text-string of comma-separated privilege names. The privileges in the allowed set must include all privileges in the forced set, or the operation fails.

-P forced-privileges

Set the filesystem forced-privilege set, specified as a text string of comma-separated privilege names. All privileges in the forced set must also be in the allowed set, or the operation fails.

-s CMW-Label

Set the filesystem CMW label.

USAGE

To specify arguments that include semicolons or embedded spaces (such as for the -l and -o options), use quotes to enclose the arguments.

The newsecfs command calls the newfs command. If newfs returns an error, the newsecfs command does not set security attributes. Note that when the newfs command prompts for confirmation, a no response is not considered by newfs to be an error. Therefore, newsecfs sets security attributes on a file system when the response to the newfs confirmation prompt is no.

EXAMPLES

---

Example 1 To create a new file system with a limited label range




To create a new file system with an allowable label range of Confidential to Secret, use this command:

$ newsecfs -l 'confidential;secret' raw_device

---

EXIT STATUS

setfsattr exits with one of these values:

0

Success.

1

Failure.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWtsu

SEE ALSO

Trusted Solaris 8 HW 12/02 Reference Manual

fork(2)

SunOS 5.8 Reference Manual

mkfs(1M), newfs(1M), terminfo(4), attributes(5)

SunOS 5.8  Last Revised 14 Feb 2003

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | USAGE | EXAMPLES | EXIT STATUS | ATTRIBUTES | SEE ALSO