setflabel man page on SunOS
Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
SunOS logo
[printable version] 
setflabel(3TSOL)     Trusted Extensions Library Functions     setflabel(3TSOL)

NAME
       setflabel - move file to zone with corresponding sensitivity label

SYNOPSIS
       cc [flag...] file... -ltsol [library...]

       #include <tsol/label.h>

       int setflabel(const char *path, const m_label_t *label_p);

DESCRIPTION
       The file that is named by path is relabeled by moving it to a new path‐
       name relative to the  root  directory  of  the  zone  corresponding  to
       label_p.	 If  the  source  and  destination  file  systems are loopback
       mounted from the same underlying file system, the file is renamed. Oth‐
       erwise, the file is copied and removed from the source directory.

       The setflabel() function enforces the following policy checks:

	   o	  If the sensitivity label of label_p equals the existing sen‐
		  sitivity label, then the file is not moved.

	   o	  If the corresponding directory does not exist in the	desti‐
		  nation zone, or if the directory exists, but has a different
		  label than label_p, the file is not moved. Also, if the file
		  already exists in the destination directory, the file is not
		  moved.

	   o	  If the sensitivity label of the existing file is  not	 equal
		  to  the  calling  process label and the caller is not in the
		  global zone, then the file is not moved. If the caller is in
		  the  global  zone,  the  existing  file  label  must be in a
		  labeled zone (not ADMIN_LOW or ADMIN_HIGH).

	   o	  If the calling process does not have write  access  to  both
		  the  source  and  destination	 directories, then the calling
		  process must have PRIV_FILE_DAC_WRITE in its set  of	effec‐
		  tive privileges.

	   o	  If  the  sensitivity	label  of  label_p  provides read only
		  access to the existing sensitivity label (an upgrade),  then
		  the user must have the solaris.label.file.upgrade authoriza‐
		  tion. In addition, if the current zone is  a	labeled	 zone,
		  then	  it   must   have   been   assigned   the   privilege
		  PRIV_FILE_UPGRADE_SL when the zone was configured.

	   o	  If the sensitivity label of label_p does not provide	access
		  to  the  existing  sensitivity label (a downgrade), then the
		  calling  user	 must  have  the  solaris.label.file.downgrade
		  authorization. In addition, if the current zone is a labeled
		  zone,	 then  it  must	 have  been  assigned  the   privilege
		  PRIV_FILE_DOWNGRADE_SL when the zone was configured.

	   o	  If  the  calling  process is not in the global zone, and the
		  user does not have  the  solaris.label.range	authorization,
		  then	label_p	 must  be  within  the	user's label range and
		  within the system accreditation range.

	   o	  If the existing file is in use  (not	tranquil)  it  is  not
		  moved. This tranquility check does not cover race conditions
		  nor remote file access.

       Additional policy constraints can be  implemented  by  customizing  the
       shell script /etc/security/tsol/relabel. See the comments in this file.

RETURN VALUES
       Upon successful completion, setflabel() returns 0. Otherwise it returns
       -1 and sets errno to indicate the error.

ERRORS
       The setflabel() function fails and the file is unchanged if:

       EACCES	       Search permission is denied for a component of the path
		       prefix of path.

		       The  calling  process  does  not	 have  mandatory write
		       access to the final component of path because the  sen‐
		       sitivity	 label of the final component of path does not
		       dominate the sensitivity label of the calling   process
		       and    the    calling	process	   does	   not	  have
		       PRIV_FILE_MAC_WRITE in its set of effective privileges.

       EBUSY	       There is an open file descriptor reference to the final
		       component of path.

       ECONNREFUSED    A  connection  to  the label daemon could not be estab‐
		       lished.

       EEXIST	       A file with the same name  exists  in  the  destination
		       directory.

       EINVAL	       Improper parameters were received by the label daemon.

       EISDIR	       The existing file is a directory.

       ELOOP	       Too many symbolic links were encountered in translating
		       path.

       EMLINK	       The existing file is hardlinked to another file.

       ENAMETOOLONG    The length of the path argument exceeds PATH_MAX.

       ENOENT	       The file referred to by path does not exist.

       EROFS	       The file system is read-only or its label is  ADMIN_LOW
		       or ADMIN_HIGH.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌───────────────────────┬───────────────────────────────────┐
       │    ATTRIBUTE TYPE     │	  ATTRIBUTE VALUE	   │
       ├───────────────────────┼───────────────────────────────────┤
       │Interface Stability    │ Committed			   │
       ├───────────────────────┼───────────────────────────────────┤
       │MT-Level	       │ MT-Safe			   │
       └───────────────────────┴───────────────────────────────────┘

SEE ALSO
       libtsol(3LIB), attributes(5)

       Setting	a  File Sensitivity Label in Solaris Trusted Extensions Devel‐
       oper's Guide

NOTES
       The functionality described on this manual page is  available  only  if
       the system is configured with Trusted Extensions.

SunOS 5.10			  20 Jul 2007		      setflabel(3TSOL)
[top]

List of man pages available for SunOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net