File Formats deviceallocate(4)
NAME
deviceallocate - deviceallocate file
SYNOPSIS
/etc/security/deviceallocate
DESCRIPTION
The deviceallocate file is an ASCI file that resides in
the /etc/security directory. It contains mandatory access
control information about each physical device. Each device
is represented by a one- line entry of the form:
device-name;device-type;reserved1;reserved2;auths;device-
exec
where:
device-name
Represents an arbitrary ASCI string naming the physical
device. This field contains no embedded white space or
non-printable characters.
device-type
Represents an arbitrary ASCI string naming the generic
device type. This field identifies and groups together
devices of like type. This field contains no embedded
white space or non-printable characters. The following
types of devices are currently managed by the system:
audio, sr (represents CDROM drives), fd (represents
floppy drives), st (represents tape drives), rmdisk
(removable media devices).
reserved1
On systems configured with Trusted Extensions, this
field stores a colon-separated (:) list of key-value
pairs that describe device allocation attributes used in
Trusted Extensions. Zero or more keys can be specified.
The following keys are currently interpreted by Trusted
Extensions systems:
minlabel
Specifies the minimum label at which device can be
allocated. Default value is adminlow.
SunOS 5.11 Last change: 12 May 2008 1
File Formats deviceallocate(4)
maxlabel
Specifies the maximum label at which device can be
allocated. Default value is adminhigh.
zone
Specifies the name of the zone in which device is
currently allocated.
class
Specifies a logical grouping of devices. For exam-
ple, all Sun Ray devices of all device types. There
is no default class.
xdpy
Specifies the X display name. This is used to iden-
tify devices associated with that X session. There
is no default xdpy value.
reserved2
Represents a field reserved for future use.
auths
Represents a field that contains a comma-separated list
of authorizations required to allocate the device, an
asterisk (*) to indicate that the device is not allocat-
able, or an '@' symbol to indicate that no explicit
authorization is needed to allocate the device. The
default authorization is solaris.device.allocate. See
auths(1).
device-exec
The physical device's data clean program to be run any
time the device is acted on by allocate(1). This ensures
that unmanaged data does not remain in the physical dev-
ice between uses. This field contains the filename of a
program in /etc/security/lib or the full pathname of a
cleanup script provided by the system administrator.
SunOS 5.11 Last change: 12 May 2008 2
File Formats deviceallocate(4)
Notes on deviceallocate
The deviceallocate file is an ASCI file that resides in
the /etc/security directory.
Lines in deviceallocate can end with a `\' to continue an
entry on the next line.
Comments can also be included. A `#' makes a comment of all
further text until the next NEWLINE not immediately preceded
by a `\'.
White space is allowed in any field.
The deviceallocate file must be created by the system
administrator before device allocation is enabled.
The deviceallocate file is owned by root, with a group of
sys, and a mode of 0644.
EXAMPLES
Example 1 Declaring an Allocatable Device
Declare that physical device st0 is a type st. st is allo-
catable, and the script used to clean the device after run-
ning deallocate(1) is named /etc/security/lib/stclean.
# scsi tape
st0;\
st;\
reserved;\
reserved;\
solaris.device.allocate;\
/etc/security/lib/stclean
Example 2 Declaring an Allocatable Device with Authoriza-
tions
Declare that physical device fd0 is of type fd. fd is allo-
catable by users with the solaris.device.allocate authoriza-
tion, and the script used to clean the device after running
deallocate(1) is named /etc/security/lib/fdclean.
SunOS 5.11 Last change: 12 May 2008 3
File Formats deviceallocate(4)
# floppy drive
fd0;\
fd;\
reserved;\
reserved;\
solaris.device.allocate;\
/etc/security/lib/fdclean
Making a device allocatable means that you need to allocate
and deallocate it to use it (with allocate(1) and deallo-
cate(1)). If a device is not allocatable, there is an aster-
isk (*) in the auths field, and no one can use the device.
FILES
/etc/security/deviceallocate
Contains list of allocatable devices
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Uncommitted
SEE ALSO
auths(1), allocate(1), bsmconv(1M), deallocate(1),
listdevices(1), authattr(4), attributes(5)
NOTES
The functionality described in this man page is available
only if Solaris Auditing has been enabled. See bsmconv(1M)
for more information.
On systems configured with Trusted Extensions, the func-
tionality is enabled by default. On such systems, the
deviceallocate file is updated automatically by the system.
SunOS 5.11 Last change: 12 May 2008 4
|
