Lines Matching full:label
53 report if a process with one label has access
86 the label given to a new filesystem object will be the label
90 The Smack label of a process that execs a program file with
95 label does not allow all of the access permitted to a process
96 with the label contained in this attribute. This is a very
104 gets the label of the directory instead of the label of the
110 Use the Smack label in this attribute for access control
115 Use the Smack label in this attribute for access control
118 There are multiple ways to set a Smack label on a file::
123 A process can see the Smack label it is running with by
135 Smack label has a particular access to an object with a
136 specified Smack label. Write a fixed format access rule to
143 Smack label has a particular access to an object with a
144 specified Smack label. Write a long format access rule to
150 This contains the Smack label applied to unlabeled network
159 where the first string is the subject label, the second the
160 object label, the third the access to allow and the fourth the
171 to a Smack label. The format accepted on write is::
175 The first string is a fixed Smack label. The first number is
183 to a Smack label. The format accepted on write is::
187 The first string is a long Smack label. The first number is
194 This contains the CIPSO level used for Smack direct label
203 treated as single label hosts. Packets are sent to single
204 label hosts only from processes that have Smack write access
205 to the host label. All packets received from single label hosts
206 are given the specified label. The format accepted on write is::
208 "%h:%h:%h:%h:%h:%h:%h:%h label" or
209 "%h:%h:%h:%h:%h:%h:%h:%h/%d label".
212 If label is "-DELETE" a matched entry will be deleted.
223 where the first string is the subject label, the second the
224 object label, and the third the requested access. The access
238 where the first string is the subject label, the second the
239 object label, and the third the requested access. The access
265 This contains the CIPSO level used for Smack mapped label
270 treated as single label hosts. Packets are sent to single
271 label hosts without CIPSO headers, but only from processes
272 that have Smack write access to the host label. All packets
273 received from single label hosts are given the specified
274 label. The format accepted on write is::
276 "%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
278 If the label specified is "-CIPSO" the address is treated
285 label. The values are set by writing the desired labels, separated
306 Writing a Smack label here sets the access to '-' for all access
307 rules with that subject label.
311 a process with ``CAP_MAC_ADMIN`` can write a label into this interface.
312 Thereafter, accesses that involve that label will be logged and
320 Normally a process can change its own label to any legal value, but only
323 A process without ``CAP_MAC_ADMIN`` can change its label only once. When it
411 Label:
459 Every task on a Smack system is assigned a label. The Smack label
478 Smack restricts access based on the label attached to a subject and the label
489 label is permitted.
510 subject-label object-label access
512 Where subject-label is the Smack label of the task, object-label is the Smack
513 label of the thing being accessed, and access is a string specifying the sort
543 with the same label specifying a rule for that case is pointless. Only
571 includes 't' access the label assigned to the new object will be that
580 Process objects reflect tasks on the system and the Smack label used to access
581 them is the same Smack label that the task would use for its own access
604 The Smack label of a process can be read from /proc/<pid>/attr/current. A
605 process can read its own Smack label from /proc/self/attr/current. A
606 privileged process can change its own Smack label by writing to
607 /proc/self/attr/current but not the label of another process.
612 The Smack label of a filesystem object is stored as an extended attribute
629 label. This is done by adding a CIPSO tag to the header of the IP packet. Each
630 packet received is expected to have a CIPSO tag that identifies the label and
631 if it lacks such a tag the network ambient label is assumed. Before the packet
632 is delivered a check is made to determine that a subject with the label on the
641 label values to match the Smack labels being used without administrative
643 ambient label.
655 The label and category set are mapped to a Smack label as defined in
671 The ":" and "," characters are permitted in a Smack label but have no special
679 in fact an encoding of the Smack label. The level used is 250 by default. The
691 The Smack label of the task object. A privileged
692 program that will enforce policy may set this to the star label.
695 The Smack label transmitted with outgoing packets.
696 A privileged program may set this to match the label of another
716 A special label '@' and an option '-CIPSO' can be used there::
718 @ means Internet, any application with any label has access to it
745 Smack label associated with the process the only concern likely to arise is
767 Smack label of a file, directory, or other file system object can be obtained
772 will put the Smack label of the root directory into value. A privileged
773 process can set the Smack label of a file system object with setxattr(2)::
778 will set the Smack label of /foo to "Rubble" if the program has appropriate
786 A privileged process can set the Smack label of outgoing packets with
792 will set the Smack label "Rubble" on packets going out from the socket if the
797 will set the Smack label "*" as the object label against which incoming
805 smackfsdef=label:
806 specifies the label to give files that lack
807 the Smack label extended attribute.
809 smackfsroot=label:
810 specifies the label to assign the root of the
813 smackfshat=label:
814 specifies a label that must have read access to
817 smackfsfloor=label:
818 specifies a label to which all labels set on the
821 smackfstransmute=label:
852 access mode will logged. When a new label is introduced for processes
854 tracking of which rules actual get used for that label.
857 a label to /sys/fs/smackfs/unconfined makes subjects with that label
858 able to access any object, and objects with that label accessible to
859 all subjects. Any access that is granted because a label is unconfined