Trusted Extensions Library Functions setflabel(3TSOL)
NAME
setflabel - move file to zone with corresponding sensitivity
label
SYNOPSIS
cc [flag...] file... -ltsol [library...]
#include
int setflabel(const char *path, const mlabelt *labelp);
DESCRIPTION
The file that is named by path is relabeled by moving it to
a new pathname relative to the root directory of the zone
corresponding to labelp. If the source and destination file
systems are loopback mounted from the same underlying file
system, the file is renamed. Otherwise, the file is copied
and removed from the source directory.
The setflabel() function enforces the following policy
checks:
o If the sensitivity label of labelp equals the
existing sensitivity label, then the file is not
moved.
o If the corresponding directory does not exist in
the destination zone, or if the directory exists,
but has a different label than labelp, the file is
not moved. Also, if the file already exists in the
destination directory, the file is not moved.
o If the sensitivity label of the existing file is
not equal to the calling process label and the
caller is not in the global zone, then the file is
not moved. If the caller is in the global zone, the
existing file label must be in a labeled zone (not
ADMINLOW or ADMINHIGH).
o If the calling process does not have write access
to both the source and destination directories,
then the calling process must have
PRIVFILEDACWRITE in its set of effective
privileges.
o If the sensitivity label of labelp provides read
only access to the existing sensitivity label (an
upgrade), then the user must have the
solaris.label.file.upgrade authorization. In
SunOS 5.11 Last change: 20 Jul 2007 1
Trusted Extensions Library Functions setflabel(3TSOL)
addition, if the current zone is a labeled zone,
then it must have been assigned the privilege
PRIVFILEUPGRADESL when the zone was configured.
o If the sensitivity label of labelp does not pro-
vide access to the existing sensitivity label (a
downgrade), then the calling user must have the
solaris.label.file.downgrade authorization. In
addition, if the current zone is a labeled zone,
then it must have been assigned the privilege
PRIVFILEDOWNGRADESL when the zone was config-
ured.
o If the calling process is not in the global zone,
and the user does not have the solaris.label.range
authorization, then labelp must be within the
user's label range and within the system accredita-
tion range.
o If the existing file is in use (not tranquil) it is
not moved. This tranquility check does not cover
race conditions nor remote file access.
Additional policy constraints can be implemented by custom-
izing the shell script /etc/security/tsol/relabel. See the
comments in this file.
RETURN VALUES
Upon successful completion, setflabel() returns 0. Otherwise
it returns -1 and sets errno to indicate the error.
ERORS
The setflabel() function fails and the file is unchanged if:
EACES Search permission is denied for a component
of the path prefix of path.
The calling process does not have mandatory
write access to the final component of path
because the sensitivity label of the final
component of path does not dominate the sen-
sitivity label of the calling process and
the calling process does not have
PRIVFILEMACWRITE in its set of effective
privileges.
EBUSY There is an open file descriptor reference
to the final component of path.
SunOS 5.11 Last change: 20 Jul 2007 2
Trusted Extensions Library Functions setflabel(3TSOL)
ECONREFUSED A connection to the label daemon could not
be established.
EXIST A file with the same name exists in the des-
tination directory.
EINVAL Improper parameters were received by the
label daemon.
EISDIR The existing file is a directory.
ELOP Too many symbolic links were encountered in
translating path.
EMLINK The existing file is hardlinked to another
file.
ENAMETOLONG The length of the path argument exceeds
PATHMAX.
ENOENT The file referred to by path does not exist.
EROFS The file system is read-only or its label is
ADMINLOW or ADMINHIGH.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Committed
MT-Level MT-Safe
SEE ALSO
libtsol(3LIB), attributes(5)
SunOS 5.11 Last change: 20 Jul 2007 3
Trusted Extensions Library Functions setflabel(3TSOL)
Setting a File Sensitivity Label in Solaris Trusted Exten-
sions Developer's Guide
NOTES
The functionality described on this manual page is available
only if the system is configured with Trusted Extensions.
SunOS 5.11 Last change: 20 Jul 2007 4
|
