Lines Matching refs:label
40 smackaccess - report if a process with one label has access
70 the label given to a new filesystem object will be the label
73 The Smack label of a process that execs a program file with
77 label does not allow all of the access permitted to a process
78 with the label contained in this attribute. This is a very
85 gets the label of the directory instead of the label of the
90 Use the Smack label in this attribute for access control
94 Use the Smack label in this attribute for access control
97 There are multiple ways to set a Smack label on a file:
102 A process can see the Smack label it is running with by
112 Smack label has a particular access to an object with a
113 specified Smack label. Write a fixed format access rule to
119 Smack label has a particular access to an object with a
120 specified Smack label. Write a long format access rule to
125 This contains the Smack label applied to unlabeled network
131 where the first string is the subject label, the second the
132 object label, the third the access to allow and the fourth the
140 to a Smack label. The format accepted on write is:
142 The first string is a fixed Smack label. The first number is
148 to a Smack label. The format accepted on write is:
150 The first string is a long Smack label. The first number is
155 This contains the CIPSO level used for Smack direct label
165 where the first string is the subject label, the second the
166 object label, and the third the requested access. The access
177 where the first string is the subject label, the second the
178 object label, and the third the requested access. The access
198 This contains the CIPSO level used for Smack mapped label
202 treated as single label hosts. Packets are sent to single
203 label hosts without CIPSO headers, but only from processes
204 that have Smack write access to the host label. All packets
205 received from single label hosts are given the specified
206 label. The format accepted on write is:
207 "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
209 This contains the label processes must have for CAP_MAC_ADMIN
212 label. The value is set by writing the desired label to the
225 Writing a Smack label here sets the access to '-' for all access
226 rules with that subject label.
229 a process with CAP_MAC_ADMIN can write a label into this interface.
230 Thereafter, accesses that involve that label will be logged and
353 Every task on a Smack system is assigned a label. The Smack label
368 Smack restricts access based on the label attached to a subject and the label
379 label is permitted.
398 subject-label object-label access
400 Where subject-label is the Smack label of the task, object-label is the Smack
401 label of the thing being accessed, and access is a string specifying the sort
431 with the same label specifying a rule for that case is pointless. Only
458 includes 't' access the label assigned to the new object will be that
467 Process objects reflect tasks on the system and the Smack label used to access
468 them is the same Smack label that the task would use for its own access
489 The Smack label of a process can be read from /proc/<pid>/attr/current. A
490 process can read its own Smack label from /proc/self/attr/current. A
491 privileged process can change its own Smack label by writing to
492 /proc/self/attr/current but not the label of another process.
496 The Smack label of a filesystem object is stored as an extended attribute
511 label. This is done by adding a CIPSO tag to the header of the IP packet. Each
512 packet received is expected to have a CIPSO tag that identifies the label and
513 if it lacks such a tag the network ambient label is assumed. Before the packet
514 is delivered a check is made to determine that a subject with the label on the
522 label values to match the Smack labels being used without administrative
524 ambient label.
536 The label and category set are mapped to a Smack label as defined in
552 The ":" and "," characters are permitted in a Smack label but have no special
560 in fact an encoding of the Smack label. The level used is 250 by default. The
570 SMACK64IPIN: The Smack label of the task object. A privileged
571 program that will enforce policy may set this to the star label.
573 SMACK64IPOUT: The Smack label transmitted with outgoing packets.
574 A privileged program may set this to match the label of another
592 A special label '@' and an option '-CIPSO' can be used there :
593 @ means Internet, any application with any label has access to it
617 Smack label associated with the process the only concern likely to arise is
636 Smack label of a file, directory, or other file system object can be obtained
641 will put the Smack label of the root directory into value. A privileged
642 process can set the Smack label of a file system object with setxattr(2).
647 will set the Smack label of /foo to "Rubble" if the program has appropriate
654 A privileged process can set the Smack label of outgoing packets with
660 will set the Smack label "Rubble" on packets going out from the socket if the
665 will set the Smack label "*" as the object label against which incoming
672 smackfsdef=label: specifies the label to give files that lack
673 the Smack label extended attribute.
675 smackfsroot=label: specifies the label to assign the root of the
678 smackfshat=label: specifies a label that must have read access to
681 smackfsfloor=label: specifies a label to which all labels set on the
708 access mode will logged. When a new label is introduced for processes
710 tracking of which rules actual get used for that label.
713 a label to /sys/fs/smackfs/unconfined makes subjects with that label
714 able to access any object, and objects with that label accessible to
715 all subjects. Any access that is granted because a label is unconfined