Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

labeladm(8)

Name

labeladm - administer Trusted Extensions security labeling services

Synopsis

labeladm
labeladm info
labeladm enable [-n | -fim | -fr] [
-q]
labeladm disable [-n | -fim | -fr] [
-q]
labeladm encodings [<label-encodings-file>]

Description

labeladm controls the labeling services which are provided by the Trusted Extensions feature.

With no parameters, the default subcommand is info. The info subcommand displays details about the status of labeling services and labeling properties.

The enable and disable subcommands respectively enable and disable Trusted Extensions security labeling services. These subcommands first set the system to an appropriate state before changing labeling status. The enabling and disabling operations each occurs asynchronously, and the labeladm command returns before enabling or disabling is complete.

The following describes default enable and disable behavior and does not apply when the –r (apply on reboot) option is used. All smf(7) milestone services are temporarily disabled. Note that this will halt any running zones, and halt all console and network services and close related connections. In addition, for the disable subcommand only, all unmountable zfs file systems are force unmounted to be sure that labeled data is no longer being accessed. After the enable or disable operation itself is complete, all zfs file systems are mounted as needed, and all milestone services are re-enabled. Zones are booted during this process (see zones(7) for autobooting details). For these reasons, enabling or disabling will be expected to take up to several minutes.

Zones may exist across enabling or disabling. After enabling labeling, existing non-labeled zones will not be usable unless they are first configured as labeled zones. Refer to tncfg(8).

After disabling labeling, labeled zones will not be usable, and labeled zone datasets and other labeled datasets will not be mountable. Any previous non-labeled zones may be used again after disabling labeling.

The enable and disable subcommands are interactive by default, requiring confirmation in order to perform the requested operation. The –f option overrides this to make the command non-interactive.

The encodings subcommand gets or sets the effective label-encodings file. With no argument, the effective encodings file name is displayed. Otherwise, the specified file is used to set the effective encodings file. The specified file is verified using chk_encodings(8). It is then copied to a system directory with a unique name. The labeladm info subcommand also shows the active encodings file name. If the encodings subcommand has never been used to make a valid setting, then the system default encodings file is used. The labeld service is automatically restarted to make a new setting effective.

Enabling or disabling Trusted Extensions, or changing its properties (such as the effective encodings file), can only be done by a user or role with the solaris.smf.manage.labels authorization. For example, a user or role that has either the Information Security or Object Label Management Rights Profile.

Options

The following options are supported:

–f

Force mode – Perform enable or disable without some checks. For example, checking for current state and operation in progress. Use this option with caution.

–i

Non-interactive mode – Without this option, the user is prompted to confirm the enable or disable request.

–n

Test only – No changes are made. If any potential problems are detected, an error value is returned and error messages are displayed if –q is not used.

–m

Send completion success or error message to syslog and console. Note that for some errors where labeladm does not complete gracefully, a syslog message can be generated regardless of this option.

–q

Quiet – No command-line messages will be generated. If this option is used, then the –i option is also assumed.

–r

Enabling or disabling will not be effective until the system is rebooted. Zones and system services are not affected except for normal boot processing.

Exit Status

The following exit values are returned:

0

Successful completion. For enable and disable subcommands, the operation has begun successfully and will continue asynchronously.

1

An error occurred.

2

Invalid usage.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/trusted
Interface Stability
The invocation and subcommands are committed. Output is Not-an-Interface.

See Also

is_system_labeled(3C), labels(7), trusted_extensions(7), chk_encodings(8), labeld(8), tncfg(8)

Trusted Extensions Configuration and Administration