xref: /titanic_41/usr/src/man/man4/device_allocate.4 (revision b8afd3a780ce850ff107bb3be330465bf47f84bd) 
 te
 Copyright (c) 2008, Sun Microsystems, Inc.
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 device_allocate 4 "12 May 2008" "SunOS 5.11" "File Formats"
 NAME
device_allocate - device_allocate file

 SYNOPSIS


/etc/security/device_allocate




 DESCRIPTION

The device_allocate file is an ASCII file that resides in the
/etc/security directory. It contains mandatory access control information
about each physical device. Each device is represented by a one- line entry of
the form:


device-name;device-type;reserved1;reserved2;auths;device-e
xec


where:


device-name


Represents an arbitrary ASCII string naming the physical device. This
field contains no embedded white space or non-printable characters.





device-type


Represents an arbitrary ASCII string naming the generic device type. This
field identifies and groups together devices of like type. This field contains
no embedded white space or non-printable characters. The following types of
devices are currently managed by the system: audio, sr (represents CDROM
drives), fd (represents floppy drives), st (represents tape
drives), rmdisk (removable media devices).





reserved1


On systems configured with Trusted Extensions, this field stores a
colon-separated (:) list of key-value pairs that describe device
allocation attributes used in Trusted Extensions. Zero or more keys can be
specified. The following keys are currently interpreted by Trusted Extensions
systems:


minlabel


Specifies the minimum label at which device can be allocated. Default value is
admin_low.





maxlabel


Specifies the maximum label at which device can be allocated. Default value is
admin_high.





zone


Specifies the name of the zone in which device is currently allocated.





class


Specifies a logical grouping of devices. For example, all Sun Ray devices of
all device types. There is no default class.





xdpy


Specifies the X display name. This is used to identify devices associated with
that X session. There is no default xdpy value.








reserved2


Represents a field reserved for future use.





auths


Represents a field that contains a comma-separated list of authorizations
required to allocate the device, an asterisk (*) to indicate that the
device is not allocatable, or an '@' symbol to indicate that no
explicit authorization is needed to allocate the device. The default
authorization is solaris.device.allocate. See auths(1).





device-exec


The physical device's data clean program to be run any time the device is acted
on by allocate(1). This ensures that unmanaged data does not remain in
the physical device between uses. This field contains the filename of a program
in /etc/security/lib or the full pathname of a cleanup script provided by
the system administrator.




 "Notes on device_allocate"

The device_allocate file is an ASCII file that resides in the
/etc/security directory.


Lines in device_allocate can end with a `\e' to continue an entry
on the next line.


Comments can also be included. A `#' makes a comment of all further text
until the next NEWLINE not immediately preceded by a `\e'.


White space is allowed in any field.


The device_allocate file must be created by the system administrator
before device allocation is enabled.


The device_allocate file is owned by root, with a group of sys, and
a mode of 0644.

 EXAMPLES

Example 1 Declaring an Allocatable Device


Declare that physical device st0 is a type st. st is
allocatable, and the script used to clean the device after running
deallocate(1) is named /etc/security/lib/st_clean.


# scsi tape
st0;\e
 st;\e
 reserved;\e
 reserved;\e
 solaris.device.allocate;\e
 /etc/security/lib/st_clean





Example 2 Declaring an Allocatable Device with Authorizations


Declare that physical device fd0 is of type fd. fd is
allocatable by users with the solaris.device.allocate authorization, and
the script used to clean the device after running deallocate(1) is named
/etc/security/lib/fd_clean.


# floppy drive
fd0;\e
 fd;\e
 reserved;\e
 reserved;\e
 solaris.device.allocate;\e
 /etc/security/lib/fd_clean





Making a device allocatable means that you need to allocate and deallocate it
to use it (with allocate(1) and deallocate(1)). If a device is not
allocatable, there is an asterisk (*) in the auths field, and no
one can use the device.

 FILES

/etc/security/device_allocate


Contains list of allocatable devices




 ATTRIBUTES

See attributes(5) for descriptions of the following attributes:







ATTRIBUTE TYPEATTRIBUTE VALUE
Interface StabilityUncommitted



 SEE ALSO

auths(1), allocate(1), bsmconv(1M), deallocate(1),
list_devices(1), auth_attr(4), attributes(5)

 NOTES

The functionality described in this man page is available only if Solaris
Auditing has been enabled. See bsmconv(1M) for more information.


On systems configured with Trusted Extensions, the functionality is enabled by
default. On such systems, the device_allocate file is updated
automatically by the system.