1device_allocate(4) File Formats device_allocate(4)
2
3
4
6 device_allocate - device_allocate file
7
9 /etc/security/device_allocate
10
11
13 The device_allocate file is an ASCII file that resides in the
14 /etc/security directory. It contains mandatory access control informa‐
15 tion about each physical device. Each device is represented by a one-
16 line entry of the form:
17
18
19 device-name;device-type;reserved1;reserved2;auths;device-exec
20
21
22 where:
23
24 device-name
25
26 Represents an arbitrary ASCII string naming the physical device.
27 This field contains no embedded white space or non-printable char‐
28 acters.
29
30
31 device-type
32
33 Represents an arbitrary ASCII string naming the generic device
34 type. This field identifies and groups together devices of like
35 type. This field contains no embedded white space or non-printable
36 characters. The following types of devices are currently managed by
37 the system: audio, sr (represents CDROM drives), fd (represents
38 floppy drives), st (represents tape drives), rmdisk (removable
39 media devices).
40
41
42 reserved1
43
44 On systems configured with Trusted Extensions, this field stores a
45 colon-separated (:) list of key-value pairs that describe device
46 allocation attributes used in Trusted Extensions. Zero or more keys
47 can be specified. The following keys are currently interpreted by
48 Trusted Extensions systems:
49
50 minlabel
51
52 Specifies the minimum label at which device can be allocated.
53 Default value is admin_low.
54
55
56 maxlabel
57
58 Specifies the maximum label at which device can be allocated.
59 Default value is admin_high.
60
61
62 zone
63
64 Specifies the name of the zone in which device is currently
65 allocated.
66
67
68 class
69
70 Specifies a logical grouping of devices. For example, all Sun
71 Ray devices of all device types. There is no default class.
72
73
74 xdpy
75
76 Specifies the X display name. This is used to identify devices
77 associated with that X session. There is no default xdpy value.
78
79
80
81 reserved2
82
83 Represents a field reserved for future use.
84
85
86 auths
87
88 Represents a field that contains a comma-separated list of autho‐
89 rizations required to allocate the device, an asterisk (*) to indi‐
90 cate that the device is not allocatable, or an '@' symbol to indi‐
91 cate that no explicit authorization is needed to allocate the
92 device. The default authorization is solaris.device.allocate. See
93 auths(1).
94
95
96 device-exec
97
98 The physical device's data clean program to be run any time the
99 device is acted on by allocate(1). This ensures that unmanaged data
100 does not remain in the physical device between uses. This field
101 contains the filename of a program in /etc/security/lib or the full
102 pathname of a cleanup script provided by the system administrator.
103
104
105 Notes on device_allocate
106 The device_allocate file is an ASCII file that resides in the
107 /etc/security directory.
108
109
110 Lines in device_allocate can end with a `\' to continue an entry on the
111 next line.
112
113
114 Comments can also be included. A `#' makes a comment of all further
115 text until the next NEWLINE not immediately preceded by a `\'.
116
117
118 White space is allowed in any field.
119
120
121 The device_allocate file must be created by the system administrator
122 before device allocation is enabled.
123
124
125 The device_allocate file is owned by root, with a group of sys, and a
126 mode of 0644.
127
129 Example 1 Declaring an Allocatable Device
130
131
132 Declare that physical device st0 is a type st. st is allocatable, and
133 the script used to clean the device after running deallocate(1) is
134 named /etc/security/lib/st_clean.
135
136
137 # scsi tape
138 st0;\
139 st;\
140 reserved;\
141 reserved;\
142 solaris.device.allocate;\
143 /etc/security/lib/st_clean
144
145
146
147 Example 2 Declaring an Allocatable Device with Authorizations
148
149
150 Declare that physical device fd0 is of type fd. fd is allocatable by
151 users with the solaris.device.allocate authorization, and the script
152 used to clean the device after running deallocate(1) is named
153 /etc/security/lib/fd_clean.
154
155
156 # floppy drive
157 fd0;\
158 fd;\
159 reserved;\
160 reserved;\
161 solaris.device.allocate;\
162 /etc/security/lib/fd_clean
163
164
165
166
167 Making a device allocatable means that you need to allocate and deallo‐
168 cate it to use it (with allocate(1) and deallocate(1)). If a device is
169 not allocatable, there is an asterisk (*) in the auths field, and no
170 one can use the device.
171
173 /etc/security/device_allocate
174
175 Contains list of allocatable devices
176
177
179 See attributes(5) for descriptions of the following attributes:
180
181
182
183
184 ┌─────────────────────────────┬─────────────────────────────┐
185 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
186 ├─────────────────────────────┼─────────────────────────────┤
187 │Interface Stability │Uncommitted │
188 └─────────────────────────────┴─────────────────────────────┘
189
191 auths(1), allocate(1), bsmconv(1M), deallocate(1), list_devices(1),
192 auth_attr(4), attributes(5)
193
195 The functionality described in this man page is available only if
196 Solaris Auditing has been enabled. See bsmconv(1M) for more informa‐
197 tion.
198
199
200 On systems configured with Trusted Extensions, the functionality is
201 enabled by default. On such systems, the device_allocate file is
202 updated automatically by the system.
203
204
205
206SunOS 5.11 12 May 2008 device_allocate(4)