settxattr Command

Purpose

Sets the security attributes.

Syntax

settxattr { -f | -m | -p | -q | -s } Attribute = Value ... Name

Description

The settxattr command sets Trusted AIX® security attributes of the file, process, shared memory, message queue, or semaphore that is specified by the Name parameter. The command interprets the Name parameter as either a file, a process, a shared memory, a message queue, or a semaphore based on whether the -f (file), -p (process), -m (shared memory), -q (message queue), or the -s (semaphore) flag is specified.

To set a value for an attribute, specify the attribute name and the new value with the Attribute=Value parameter. All of the attributes are applied to extended attributes (EA) of the file system for file system objects and user credentials for processes.

Flags

Item Description
-f Specifies the security attributes of a file. The Name parameter specifies the path to this file on the system.
-p Specifies the security attributes of a process. The Name parameter specifies the numeric process identifier (PID) of an active process on the system. Changes requested through the Attribute=Value pairs immediately affect the state of the specified active process.
-m Specifies the security attributes of a shared memory. The Name parameter specifies the numeric shared memory identifier on the system.
-q Specifies the security attributes of a message queue. The Name parameter specifies the numeric message queue identifier on the system.
-s Specifies the security attributes of a semaphore. The Name parameter specifies the numeric semaphore identifier on the system.

Parameters

Item Description
Attribute = Value Specifies the value of a security attribute for the object. The list of valid attribute names are dependent on the object type as specified through the -f, -m, -p, -q, and -s flags.
Use the following file security attributes for the (-f) flag:
sl
Specifies the Sensitivity Label (SL). Specifies the SL to apply labels for regular files. This attribute is not valid for directories, devices, or terminal devices (TTYs).
maxsl
Specifies the Maximum Sensitivity Label. The value that you specify for this attribute must dominate the existing Minimum Sensitivity Label. This attribute is valid only for directories, devices, and TTYs.
minsl
Specifies the Minimum Sensitivity Label. The value that you specify for this attribute must be dominated by the existing Maximum Sensitivity Label. This attribute is valid only for directories, devices, and TTYs.
tl
Specifies the Integrity Label. Specify this attribute to apply labels to a file.
secflags
Specifies the Trusted AIX file security flags. Specify this attribute as a comma-separated list of security flags. You can specify the following flags:
  • FSF_APPEND
  • FSF_AUDIT
  • FSF_MAC_EXMPT
  • FSF_TLIB
  • FSF_TLIB_PROC
Use the following process security attributes for the -p flag:
effsl
Effective Sensitivity Label. Specify this attribute to apply labels on an active process. The effsl attribute must dominate the existing Minimum Sensitivity Label.
maxcl
Maximum Sensitivity Clearance Label. Specify this attribute to apply labels on an active process. The maxsl attribute must dominate the existing Effective Sensitivity Label.
mincl
Minimum Sensitivity Clearance Label. Specify this attribute to apply label on an active process. The mincl attribute must be dominated by the existing Effective Sensitivity Label.
efftl
Effective Integrity Label. Specify this attribute to apply labels on an active process. The efftl attribute must dominate the existing Minimum Integrity Label.
maxtl
Maximum Integrity Label Specify this attribute to apply labels on an active process. The maxtl attribute must dominate the existing Effective Integrity Label.
mintl
Minimum Integrity Label. Specify this attribute to apply labels on an active process. The mintl attribute must be dominated by the existing Effective Integrity Label.
Use the following security attributes for the message queue (-q) flag, the shared memory (-m) flag, and the semaphore (-s) flag:
sl
Specifies the Sensitivity Label (SL). Specify this attribute to apply labels to a message queue, shared memory, or semaphore object.
tl
Specifies the Integrity Label (TL). Specify this attribute to apply labels to a message queue, shared memory, or semaphore object.

Security

The settxattr command is a privileged command. It is owned by the root user and the security group, with the mode set to 755. To run the command successfully, users must have at least one of the following authorizations:

Item Description
aix.mls.label.sl.upgrade Required to assign an SL higher than the existing SL of filesystem objects.
aix.mls.label.tl.upgrade Required to assign a TL higher than the existing TL of filesystem objects.
aix.mls.label.sl.downgrade Required to assign an SL lower than the existing SL of filesystem objects.
aix.mls.label.tl.downgrade Required to assign a TL lower than the existing TL of filesystem objects.
aix.mls.proc.sl.upgrade Required to assign an effective SL higher than the existing effective SL of the process.
aix.mls.proc.tl.upgrade Required to assign an effective TL higher than the existing effective TL of the process.
aix.mls.proc.sl.downgrade Required to assign an effective SL lower than the existing effective SL of the process.
aix.mls.proc.tl.downgrade Required to assign an effective TL lower than the existing effective TL of the process.
aix.mls.label.outsideaccred Required to assign labels outside the accreditation range.

File Accessed:

Item Description
Mode File
r /etc/security/enc/LabelEncodings

Examples

  1. To apply labels to a regular file called regfile, enter the following command:
    settxattr –f sl=SECRET tl=SECRET regfile
  2. To apply labels to a directory called dirname, enter the following command:
    settxattr –f maxsl=”TS ALL” minsl=”SEC ALL” tl=TS dirname
  3. To apply labels to a message queue IPC object with the 0 message queue ID, enter the following command:
    settxattr –q sl=SECRET tl=SECRET 0
  4. To apply labels to a shared memory IPC object with the 3145728 shared memory ID, enter the following command:
    settxattr –m sl=SECRET tl=SECRET 3145728
  5. To apply labels to a semaphore IPC object with the three shared memory IDs, enter the following command:
    settxattr –s sl=SECRET tl=SECRET 3