MAC privileges
The following MAC privileges are available on Trusted AIX®. A synopsis and description of each privilege and its uses is provided. Some privileges form a hierarchy, where one privilege can grant all of the rights associated with another privilege.
When checking for privileges, the system first checks to determine if the process has the lowest privilege needed, and then proceeds up the hierarchy checking for the presence of more powerful privileges. For example, a process with the PV_AU_ privilege automatically has the PV_AU_ADMIN, PV_AU_ADD, PV_AU_PROC, PV_AU_READ, and PV_AU_WRITE privilege and a process with the PV_ROOT privilege automatically has all of the privileges listed below except the PV_SU_ privileges.
- PV_MAC_
- Equivalent to all other MAC privileges (PV_MAC_*) combined
- PV_MAC_CL
- Allows a process to bypass sensitivity clearance restrictions
- PV_MAC_R_PROC
- Allows a process to bypass MAC read restrictions when getting information about a process, provided that the target process's label is within the clearance of the acting process
- PV_MAC_W_PROC
- Allows a process to bypass MAC write restrictions when sending a signal to a process, provided that the target process's label is within the clearance of the acting process
- PV_MAC_R
- Allows a process to bypass MAC read restrictions
- PV_MAC_R_CL
- Allows a process to bypass MAC read restrictions when the object's label is within the clearance of the process
- PV_MAC_R_STR
- Allows a process to bypass MAC read restrictions when reading a message from a STREAM, provided that the message's label is within the clearance of the process
- PV_MAC_W
- Allows a process to bypass MAC write restrictions
- PV_MAC_W_CL
- Allows a process to bypass MAC write restrictions when the object's label is within the clearance of the process
- PV_MAC_W_DN
- Allows a process to bypass MAC write restrictions when the process label dominates the object's label and the object's label is within the clearance of the process
- PV_MAC_W_UP
- Allows a process to bypass MAC write restrictions when the process label is dominated by the object's label and the object's label is within the clearance of the process
- PV_MAC_OVRRD
- Bypass MAC restrictions for files flagged as being exempt from MAC