settxattr Command

Purpose

Sets the security attributes.

Syntax

settxattr { -f | -m | -p | -q | -s } Attribute = Value ... Name

Description

The settxattr command sets Trusted AIX® security attributes of the file, process, shared memory, message queue, or semaphore that is specified by the Name parameter. The command interprets the Name parameter as either a file, a process, a shared memory, a message queue, or a semaphore based on whether the -f (file), -p (process), -m (shared memory), -q (message queue), or the -s (semaphore) flag is specified.

To set a value for an attribute, specify the attribute name and the new value with the Attribute=Value parameter. All of the attributes are applied to extended attributes (EA) of the file system for file system objects and user credentials for processes.

Flags

Item	Description
-f	Specifies the security attributes of a file. The Name parameter specifies the path to this file on the system.
-p	Specifies the security attributes of a process. The Name parameter specifies the numeric process identifier (PID) of an active process on the system. Changes requested through the Attribute=Value pairs immediately affect the state of the specified active process.
-m	Specifies the security attributes of a shared memory. The Name parameter specifies the numeric shared memory identifier on the system.
-q	Specifies the security attributes of a message queue. The Name parameter specifies the numeric message queue identifier on the system.
-s	Specifies the security attributes of a semaphore. The Name parameter specifies the numeric semaphore identifier on the system.

Parameters

Item	Description
Attribute = Value	Specifies the value of a security attribute for the object. The list of valid attribute names are dependent on the object type as specified through the -f, -m, -p, -q, and -s flags. Use the following file security attributes for the (-f) flag: sl Specifies the Sensitivity Label (SL). Specifies the SL to apply labels for regular files. This attribute is not valid for directories, devices, or terminal devices (TTYs). maxsl Specifies the Maximum Sensitivity Label. The value that you specify for this attribute must dominate the existing Minimum Sensitivity Label. This attribute is valid only for directories, devices, and TTYs. minsl Specifies the Minimum Sensitivity Label. The value that you specify for this attribute must be dominated by the existing Maximum Sensitivity Label. This attribute is valid only for directories, devices, and TTYs. tl Specifies the Integrity Label. Specify this attribute to apply labels to a file. secflags Specifies the Trusted AIX file security flags. Specify this attribute as a comma-separated list of security flags. You can specify the following flags: FSF_APPEND FSF_AUDIT FSF_MAC_EXMPT FSF_TLIB FSF_TLIB_PROC Use the following process security attributes for the -p flag: effsl Effective Sensitivity Label. Specify this attribute to apply labels on an active process. The effsl attribute must dominate the existing Minimum Sensitivity Label. maxcl Maximum Sensitivity Clearance Label. Specify this attribute to apply labels on an active process. The maxsl attribute must dominate the existing Effective Sensitivity Label. mincl Minimum Sensitivity Clearance Label. Specify this attribute to apply label on an active process. The mincl attribute must be dominated by the existing Effective Sensitivity Label. efftl Effective Integrity Label. Specify this attribute to apply labels on an active process. The efftl attribute must dominate the existing Minimum Integrity Label. maxtl Maximum Integrity Label Specify this attribute to apply labels on an active process. The maxtl attribute must dominate the existing Effective Integrity Label. mintl Minimum Integrity Label. Specify this attribute to apply labels on an active process. The mintl attribute must be dominated by the existing Effective Integrity Label. Use the following security attributes for the message queue (-q) flag, the shared memory (-m) flag, and the semaphore (-s) flag: sl Specifies the Sensitivity Label (SL). Specify this attribute to apply labels to a message queue, shared memory, or semaphore object. tl Specifies the Integrity Label (TL). Specify this attribute to apply labels to a message queue, shared memory, or semaphore object.

Item

Description

Attribute = Value

Specifies the value of a security attribute for the object. The list of valid attribute names are dependent on the object type as specified through the -f, -m, -p, -q, and -s flags.

Use the following file security attributes for the (-f) flag:

sl

Specifies the Sensitivity Label (SL). Specifies the SL to apply labels for regular files. This attribute is not valid for directories, devices, or terminal devices (TTYs).

maxsl

Specifies the Maximum Sensitivity Label. The value that you specify for this attribute must dominate the existing Minimum Sensitivity Label. This attribute is valid only for directories, devices, and TTYs.

minsl

Specifies the Minimum Sensitivity Label. The value that you specify for this attribute must be dominated by the existing Maximum Sensitivity Label. This attribute is valid only for directories, devices, and TTYs.

tl

Specifies the Integrity Label. Specify this attribute to apply labels to a file.

secflags

Specifies the Trusted AIX file security flags. Specify this attribute as a comma-separated list of security flags. You can specify the following flags:

FSF_APPEND
FSF_AUDIT
FSF_MAC_EXMPT
FSF_TLIB
FSF_TLIB_PROC

Use the following process security attributes for the -p flag:

effsl: Effective Sensitivity Label. Specify this attribute to apply labels on an active process. The effsl attribute must dominate the existing Minimum Sensitivity Label.
maxcl: Maximum Sensitivity Clearance Label. Specify this attribute to apply labels on an active process. The maxsl attribute must dominate the existing Effective Sensitivity Label.
mincl: Minimum Sensitivity Clearance Label. Specify this attribute to apply label on an active process. The mincl attribute must be dominated by the existing Effective Sensitivity Label.
efftl: Effective Integrity Label. Specify this attribute to apply labels on an active process. The efftl attribute must dominate the existing Minimum Integrity Label.
maxtl: Maximum Integrity Label Specify this attribute to apply labels on an active process. The maxtl attribute must dominate the existing Effective Integrity Label.
mintl: Minimum Integrity Label. Specify this attribute to apply labels on an active process. The mintl attribute must be dominated by the existing Effective Integrity Label.

Use the following security attributes for the message queue (-q) flag, the shared memory (-m) flag, and the semaphore (-s) flag:

sl: Specifies the Sensitivity Label (SL). Specify this attribute to apply labels to a message queue, shared memory, or semaphore object.
tl: Specifies the Integrity Label (TL). Specify this attribute to apply labels to a message queue, shared memory, or semaphore object.

Security

The settxattr command is a privileged command. It is owned by the root user and the security group, with the mode set to 755. To run the command successfully, users must have at least one of the following authorizations:

Item	Description
aix.mls.label.sl.upgrade	Required to assign an SL higher than the existing SL of filesystem objects.
aix.mls.label.tl.upgrade	Required to assign a TL higher than the existing TL of filesystem objects.
aix.mls.label.sl.downgrade	Required to assign an SL lower than the existing SL of filesystem objects.
aix.mls.label.tl.downgrade	Required to assign a TL lower than the existing TL of filesystem objects.
aix.mls.proc.sl.upgrade	Required to assign an effective SL higher than the existing effective SL of the process.
aix.mls.proc.tl.upgrade	Required to assign an effective TL higher than the existing effective TL of the process.
aix.mls.proc.sl.downgrade	Required to assign an effective SL lower than the existing effective SL of the process.
aix.mls.proc.tl.downgrade	Required to assign an effective TL lower than the existing effective TL of the process.
aix.mls.label.outsideaccred	Required to assign labels outside the accreditation range.

File Accessed:

Item	Description
Mode	File
r	/etc/security/enc/LabelEncodings

Examples

To apply labels to a regular file called regfile, enter the following command:
```
settxattr –f sl=SECRET tl=SECRET regfile
```
To apply labels to a directory called dirname, enter the following command:
```
settxattr –f maxsl=”TS ALL” minsl=”SEC ALL” tl=TS dirname
```
To apply labels to a message queue IPC object with the 0 message queue ID, enter the following command:
```
settxattr –q sl=SECRET tl=SECRET 0
```
To apply labels to a shared memory IPC object with the 3145728 shared memory ID, enter the following command:
```
settxattr –m sl=SECRET tl=SECRET 3145728
```
To apply labels to a semaphore IPC object with the three shared memory IDs, enter the following command:
```
settxattr –s sl=SECRET tl=SECRET 3
```