svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
labelcfg(8)
System Administration Commands labelcfg(8)
NAME
labelcfg - create and modify label encodings
SYNOPSIS
labelcfg [-e encoding_file] [-f command_file] [subcommand]...
labelcfg help
DESCRIPTION
Labels are used to implement hierarchical and disjoint mandatory access
policies. The labelcfg utility specifies the relationships between
labels by assigning attributes to their components known as classifica‐
tions and compartments. Each label consists of a single classification
and an optional set of compartments. Together these relationships are
referred to as the label encodings.
Classifications are ordered by assigning integer values known as lev‐
els. By default labelcfg assigns the next available level when a new
classification is added, so it is recommended that classifications are
added starting at the lowest level. However, levels can also be
assigned explicitly and classifications can be subsequently reordered.
Compartments are initially unordered. Hierarchies can be specified by
naming other compartments as subcompartments. Disjoint relationships
can be specified by naming other compartments as conflicts.
Compartments can also be assigned as subcompartments of classifica‐
tions. In that case, specifying the classification implicitly includes
its subcompartments.
These policy constraints restrict how classifications and compartments
can be combined to form valid labels. However, the constraints must not
preclude the formation of a valid label that dominates all the other
valid labels. The labelcfg utility validates user inputs to prevent
creating an invalid encodings file.
If the encodings file does not exist, then a new empty file is created
from the file label_encodings_template. At least one classification
must be added before it can be saved.
Properties
Property values can be simple strings, or comma-separated lists of sim‐
ple strings. Simple strings containing white space must be double
quoted. An equal sign (=) is required between the property and its val‐
ues.
The following properties apply to the entire encodings:
title An arbitrary title which is stored as a comment in
the labeling encodings file.
min_label The default minimum label for users. When Trusted
Extensions is not enabled, this property specifies
the lowest label to which authorized users may down‐
grade their files. In this case, the value ADMIN_LOW
is recommended.
clearance The default clearance for users. Unless Trusted
Extensions is enabled, the value ADMIN_HIGH disables
enforcement of the labeling policy for all users
unless they have been explicitly assigned a clear‐
ance.
classification Used to add a new classification or to select or
remove an existing classification.
compartment Used to add a new compartment or to select or remove
an existing compartment.
The following properties apply to the currently selected classifica‐
tion:
name The required full name for a classification. Names
may consist of multiple words in which case double
quotes are required.
shortname An optional short name for a classification. Names
may consist of multiple words in which case double
quotes are required.
level An integer representing the sensitivity of a classi‐
fication level. The lowest value is 1. The highest
value in the default template is 100. The level is
set automatically to the next available value when a
classification is created.
nextclass The name of the classification that is immediately
above the current classification. This property is
set automatically, but can be used to reorder the
current classification.
prevclass The name of the classification that is immediately
lower than the current classification. This property
is set automatically, but can be used to reorder the
current classification.
subcompartments An optional list of compartments that are included
by the current classification.
valid An optional list consisting of sets of compartment
combinations that can be used together with the cur‐
rent classification when assigning labels to users.
invalid An optional list consisting of sets of compartment
combinations that cannot be used together with the
current classification when assigning labels to
users. An asterisk (*) specifies that all labels
with the current classification are invalid.
Setting either the valid or invalid property clears the other property.
The following properties apply to the currently selected compartment:
name The required full name for a compartment. Names may
consist of multiple words in which case double
quotes are required.
shortname The optional full name for a compartment. Names may
consist of multiple words in which case double
quotes are required.
prefix An optional phrase that can be associated with the
compartment. It will be printed before the compart‐
ment when a label including that compartment is dis‐
played.
suffix An optional phrase that can be associated with the
compartment. It will be printed after the compart‐
ment when a label including that compartment is dis‐
played.
subcompartments An optional list of compartments that are included
by the current compartment.
conflicts An optional list of compartments that are mutually
exclusive with the current compartment.
minclass The name of the lowest classification with which the
current compartment can be combined.
maxclass The name of the highest classification with which
the current compartment can be combined.
bit Compartments consist of one or more bits in the
range of 0 to 255. The bit property specifies the
unique bit number that is assigned to the current
compartment exclusive of any of its subcompartments.
It is set automatically when a compartment is cre‐
ated. Compartments which include multiple subcom‐
partments might not need a unique bit, in which
case, it can be cleared.
SUB-COMMANDS
Subcommands can be provided in a command file using the -f option, or
interactively. Multiple subcommands, separated by semicolons can be
specified on the command line by enclosing the entire set in quotation
marks. The lack of subcommands implies an interactive session, during
which auto-completion of subcommands and values can be invoked by using
the TAB key.
The add and select subcommands can be used to specify a classification
or compartment, at which point the context changes to that item. During
an interactive session, the context is identified in the prompt by the
name of the selected item. The end and cancel subcommands are used to
complete the specification, at which time the context is reverted to
the encodings context.
The property-value can be a simple value, or a list of simple values
for those properties which accept lists. The following subcommands are
supported:
add classification=name
Begins the specification for a new classification. The context is
changed to accept classification properties.
add compartment=name
Begins the specification for a new compartment. The context is
changed to accept compartment properties.
add property-name=property-value
Adds the specified values to the current classification or compart‐
ment. This subcommand can only be applied to the properties that
accept lists: subcompartments, conflicts, valid, and invalid.
cancel
Ends the specification and resets context to the encodings context.
Abandons any partially specified resources. cancel is only applica‐
ble in the classification and compartment contexts.
clear property-name
Clears the value(s) for the property.
commit
Commits the current configuration from memory to the file specified
through the -e option. The configuration must be committed for the
changes to take effect. The commit operation is attempted automati‐
cally upon completion of a labelcfg session. Since a configuration
must be correct to be committed, this operation does and automatic
verification.
After successfully saving the configuration, if the user has the
solaris.smf.manage.labels authorization and the pathname starts
with /etc/security/tsol/, then the labeld/label_encodings property
in the svc:/system/labeld service is updated and the service
instance is restarted.
end
Ends the classification or compartment specification.
exit [-F]
Exits the labelcfg session. If there are uncommitted changes, the
user is prompted whether to commit the changes before exiting. You
can also use an EOF character to exit labelcfg. The -F option can
be used to force the action.
export [-f output-file]
Prints the configuration to standard output or to the output file
specified by the -f option. This command produces output in a form
suitable for subsequent use as an input command file that can be
specified on the command line.
help [usage] [subcommands] [properties] [<subcommand>] [<proper‐
ties>]
Prints general help or help about specific topic.
list
Lists all the valid labels that are available using the current
encodings.
info [property-name]
Displays information about the encodings, the currently selected
classification or compartment, or the specified property.
remove classification=name|shortname
Removes the specified classification from the encodings. This sub‐
command is only valid in the encodings context.
remove compartment=name|shortname
Removes the specified compartment from the encodings. This subcom‐
mand is only valid in the encodings context.
select classification=name|shortname
Selects the classification to be edited. Either the name or short‐
name properties can be specified. This subcommand is applicable
only in the encodings context.
select compartment=name|shortname
Selects the compartment to be edited. Either the name or shortname
properties can be specified. This subcommand is applicable only in
the encodings context.
set property-name=property-value
Sets a given property name to the given value. Any existing values
for that property are replaced by the new values. Use the add sub‐
command to append additional values instead of replacing the cur‐
rent values.
verify
Verifies the current configuration for correctness.
OPTIONS
The following options are supported:
-e Specifies the encodings file to edit. If the file does not exist,
it is created and initialized from the template file /etc/secu‐
rity/tsol/label_encodings.template. If the file is not writable,
the session operates in read-only mode.
If this option is omitted, the default file specified by the SMF
property labeld/encodings_file is used. By default the FMRI is
svc:/system/labeld:clearance. However, when Trusted Extensions is
enabled, the init instance of this service is used, so the corre‐
sponding FMRI is svc:/system/labeld:init.
-f Specifies an optional command file to use as input. Command files
can be generated using the -f option of the export subcommand.
When a command file is specified, no other input is accepted.
Typically the file specified using -e should be empty. Otherwise
it may conflict with the subcommands in the command file.
EXAMPLES
Example 1 Creating the Simplest Encoding File
# labelcfg -e simple "add classification=Confidential;end"
Example 2 Creating an Encodings File for Compliance
# labelcfg -e /etc/security/tsol/lef
labelcfg:lef> set title="Sample Data Protection Policy"
labelcfg:lef> add classification="Public"
labelcfg:Public> set shortname="Public"
labelcfg:Public> end
labelcfg:lef> add classification="Confidential"
labelcfg:Confidential> set shortname="Confidential"
labelcfg:Confidential> end
labelcfg:lef> add compartment="Internal Use Only"
labelcfg:Internal Use Only> set minclass="Confidential"
labelcfg:Internal Use Only> end
labelcfg:lef> add compartment="Payment Data"
labelcfg:Payment Data> set subcompartments="Internal Use Only"
labelcfg:Payment Data> set minclass="Confidential"
labelcfg:Payment Data> end
labelcfg:lef> add compartment="Health Records"
labelcfg:Health Records> set subcompartments="Internal Use Only"
labelcfg:Health Records> set conflicts="Payment Data"
labelcfg:Health Records> set minclass="Confidential"
labelcfg:Health Records> end
labelcfg:lef> add compartment="Highly Restricted"
labelcfg:Highly Restricted> clear bit
labelcfg:Highly Restricted> set minclass="Confidential"
labelcfg:Highly Restricted> set subcompartments="Payment Data,Health Records"
labelcfg:Highly Restricted> end
labelcfg:lef> select classification="Confidential"
labelcfg:Confidential> set invalid=""
labelcfg:Confidential> end
labelcfg:lef> set min_label=Public
labelcfg:lef> set clearance="Confidential Internal Use Only"
labelcfg:lef> verify
labelcfg:lef> commit
labelcfg:lef> exit
#
Example 3 Using the info Subcommand in the Encodings Context
% labelcfg -e /etc/security/tsol/lef
labelcfg:lef> info
title=Sample Data Protection Policy
classification=Public
level=1
classification=Confidential
level=2
compartment=Highly Restricted
subcompartments="Payment Data,Health Records"
minclass=Confidential
compartment=Payment Data
bit=1
subcompartments="Internal Use Only"
minclass=Confidential
compartment=Health Records
bit=2
subcompartments="Internal Use Only"
conflicts="Payment Data"
minclass=Confidential
compartment=Internal Use Only
bit=0
minclass=Confidential
min_label=Public
clearance=Confidential Internal Use Only
Example 4 Using the list option to Show the Valid Labels
labelcfg:lef> list
"Confidential Highly Restricted"
"Confidential Payment Data"
"Confidential Health Records"
"Confidential Internal Use Only"
Public
labelcfg:lef>
Example 5 Changing the Name of a Compartment
labelcfg:lef> select compartment="Heath Records"
labelcfg:Health Records> set name="Medical Records"
labelcfg:Medical Records> info
compartment=Medical Records
bit=2
subcompartments="Internal Use Only"
conflicts="Payment Data"
minclass=Confidential
labelcfg:Medical Records> end
labelcfg:lef>
FILES
/etc/security/tsol/label_encodings.default
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/file_labeling
NOTES
Although labelcfg can be used with label encodings files from Trusted
Extensions, it does not manage all of the fields that are described in
the Compartmented Mode Workstation Labeling: Encodings Format. For
example, it does not support Required Combinations or Printer Banners.
So it may not be suitable for modifying existing encodings files.
SEE ALSO
sandbox(1), clearance(7), labels(7), chk_encodings(8), labeld(8)
HISTORY
The labelcfg command was added in Oracle Solaris 11.4.0.
Oracle Solaris 11.4 21 Jun 2021 labelcfg(8)