Lines Matching refs:label
44 smackaccess - report if a process with one label has access
74 the label given to a new filesystem object will be the label
77 The Smack label of a process that execs a program file with
81 label does not allow all of the access permitted to a process
82 with the label contained in this attribute. This is a very
89 gets the label of the directory instead of the label of the
94 Use the Smack label in this attribute for access control
98 Use the Smack label in this attribute for access control
101 There are multiple ways to set a Smack label on a file:
106 A process can see the Smack label it is running with by
118 Smack label has a particular access to an object with a
119 specified Smack label. Write a fixed format access rule to
125 Smack label has a particular access to an object with a
126 specified Smack label. Write a long format access rule to
131 This contains the Smack label applied to unlabeled network
137 where the first string is the subject label, the second the
138 object label, the third the access to allow and the fourth the
148 to a Smack label. The format accepted on write is:
150 The first string is a fixed Smack label. The first number is
156 to a Smack label. The format accepted on write is:
158 The first string is a long Smack label. The first number is
163 This contains the CIPSO level used for Smack direct label
170 treated as single label hosts. Packets are sent to single
171 label hosts only from processes that have Smack write access
172 to the host label. All packets received from single label hosts
173 are given the specified label. The format accepted on write is:
174 "%h:%h:%h:%h:%h:%h:%h:%h label" or
175 "%h:%h:%h:%h:%h:%h:%h:%h/%d label".
177 If label is "-DELETE" a matched entry will be deleted.
185 where the first string is the subject label, the second the
186 object label, and the third the requested access. The access
197 where the first string is the subject label, the second the
198 object label, and the third the requested access. The access
220 This contains the CIPSO level used for Smack mapped label
224 treated as single label hosts. Packets are sent to single
225 label hosts without CIPSO headers, but only from processes
226 that have Smack write access to the host label. All packets
227 received from single label hosts are given the specified
228 label. The format accepted on write is:
229 "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
230 If the label specified is "-CIPSO" the address is treated
236 label. The values are set by writing the desired labels, separated
249 Writing a Smack label here sets the access to '-' for all access
250 rules with that subject label.
253 a process with CAP_MAC_ADMIN can write a label into this interface.
254 Thereafter, accesses that involve that label will be logged and
261 Normally a process can change its own label to any legal value, but only
264 A process without CAP_MAC_ADMIN can change its label only once. When it
388 Every task on a Smack system is assigned a label. The Smack label
403 Smack restricts access based on the label attached to a subject and the label
414 label is permitted.
433 subject-label object-label access
435 Where subject-label is the Smack label of the task, object-label is the Smack
436 label of the thing being accessed, and access is a string specifying the sort
466 with the same label specifying a rule for that case is pointless. Only
493 includes 't' access the label assigned to the new object will be that
502 Process objects reflect tasks on the system and the Smack label used to access
503 them is the same Smack label that the task would use for its own access
524 The Smack label of a process can be read from /proc/<pid>/attr/current. A
525 process can read its own Smack label from /proc/self/attr/current. A
526 privileged process can change its own Smack label by writing to
527 /proc/self/attr/current but not the label of another process.
531 The Smack label of a filesystem object is stored as an extended attribute
546 label. This is done by adding a CIPSO tag to the header of the IP packet. Each
547 packet received is expected to have a CIPSO tag that identifies the label and
548 if it lacks such a tag the network ambient label is assumed. Before the packet
549 is delivered a check is made to determine that a subject with the label on the
557 label values to match the Smack labels being used without administrative
559 ambient label.
571 The label and category set are mapped to a Smack label as defined in
587 The ":" and "," characters are permitted in a Smack label but have no special
595 in fact an encoding of the Smack label. The level used is 250 by default. The
605 SMACK64IPIN: The Smack label of the task object. A privileged
606 program that will enforce policy may set this to the star label.
608 SMACK64IPOUT: The Smack label transmitted with outgoing packets.
609 A privileged program may set this to match the label of another
627 A special label '@' and an option '-CIPSO' can be used there :
628 @ means Internet, any application with any label has access to it
652 Smack label associated with the process the only concern likely to arise is
671 Smack label of a file, directory, or other file system object can be obtained
676 will put the Smack label of the root directory into value. A privileged
677 process can set the Smack label of a file system object with setxattr(2).
682 will set the Smack label of /foo to "Rubble" if the program has appropriate
689 A privileged process can set the Smack label of outgoing packets with
695 will set the Smack label "Rubble" on packets going out from the socket if the
700 will set the Smack label "*" as the object label against which incoming
707 smackfsdef=label: specifies the label to give files that lack
708 the Smack label extended attribute.
710 smackfsroot=label: specifies the label to assign the root of the
713 smackfshat=label: specifies a label that must have read access to
716 smackfsfloor=label: specifies a label to which all labels set on the
743 access mode will logged. When a new label is introduced for processes
745 tracking of which rules actual get used for that label.
748 a label to /sys/fs/smackfs/unconfined makes subjects with that label
749 able to access any object, and objects with that label accessible to
750 all subjects. Any access that is granted because a label is unconfined