device_allocate(4) File Formats device_allocate(4)NAMEdevice_allocate - device_allocate file
SYNOPSIS
/etc/security/device_allocate
DESCRIPTION
The device_allocate file is an ASCII file that resides in the
/etc/security directory. It contains mandatory access control informa‐
tion about each physical device. Each device is represented by a one-
line entry of the form:
device-name;device-type;reserved1;reserved2;auths;device-exec
where:
device-name
Represents an arbitrary ASCII string naming the physical device.
This field contains no embedded white space or non-printable char‐
acters.
device-type
Represents an arbitrary ASCII string naming the generic device
type. This field identifies and groups together devices of like
type. This field contains no embedded white space or non-printable
characters. The following types of devices are currently managed by
the system: audio, sr (represents CDROM drives), fd (represents
floppy drives), st (represents tape drives), rmdisk (removable
media devices).
reserved1
On systems configured with Trusted Extensions, this field stores a
colon-separated (:) list of key-value pairs that describe device
allocation attributes used in Trusted Extensions. Zero or more keys
can be specified. The following keys are currently interpreted by
Trusted Extensions systems:
minlabel
Specifies the minimum label at which device can be allocated.
Default value is admin_low.
maxlabel
Specifies the maximum label at which device can be allocated.
Default value is admin_high.
zone
Specifies the name of the zone in which device is currently
allocated.
class
Specifies a logical grouping of devices. For example, all Sun
Ray devices of all device types. There is no default class.
xdpy
Specifies the X display name. This is used to identify devices
associated with that X session. There is no default xdpy value.
reserved2
Represents a field reserved for future use.
auths
Represents a field that contains a comma-separated list of autho‐
rizations required to allocate the device, an asterisk (*) to indi‐
cate that the device is not allocatable, or an '@' symbol to indi‐
cate that no explicit authorization is needed to allocate the
device. The default authorization is solaris.device.allocate. See
auths(1).
device-exec
The physical device's data clean program to be run any time the
device is acted on by allocate(1). This ensures that unmanaged data
does not remain in the physical device between uses. This field
contains the filename of a program in /etc/security/lib or the full
pathname of a cleanup script provided by the system administrator.
Notes on device_allocate
The device_allocate file is an ASCII file that resides in the
/etc/security directory.
Lines in device_allocate can end with a `\' to continue an entry on the
next line.
Comments can also be included. A `#' makes a comment of all further
text until the next NEWLINE not immediately preceded by a `\'.
White space is allowed in any field.
The device_allocate file must be created by the system administrator
before device allocation is enabled.
The device_allocate file is owned by root, with a group of sys, and a
mode of 0644.
EXAMPLES
Example 1 Declaring an Allocatable Device
Declare that physical device st0 is a type st. st is allocatable, and
the script used to clean the device after running deallocate(1) is
named /etc/security/lib/st_clean.
# scsi tape
st0;\
st;\
reserved;\
reserved;\
solaris.device.allocate;\
/etc/security/lib/st_clean
Example 2 Declaring an Allocatable Device with Authorizations
Declare that physical device fd0 is of type fd. fd is allocatable by
users with the solaris.device.allocate authorization, and the script
used to clean the device after running deallocate(1) is named
/etc/security/lib/fd_clean.
# floppy drive
fd0;\
fd;\
reserved;\
reserved;\
solaris.device.allocate;\
/etc/security/lib/fd_clean
Making a device allocatable means that you need to allocate and deallo‐
cate it to use it (with allocate(1) and deallocate(1)). If a device is
not allocatable, there is an asterisk (*) in the auths field, and no
one can use the device.
FILES
/etc/security/device_allocate
Contains list of allocatable devices
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Uncommitted │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOauths(1), allocate(1), bsmconv(1M), deallocate(1), list_devices(1),
auth_attr(4), attributes(5)NOTES
The functionality described in this man page is available only if
Solaris Auditing has been enabled. See bsmconv(1M) for more informa‐
tion.
On systems configured with Trusted Extensions, the functionality is
enabled by default. On such systems, the device_allocate file is
updated automatically by the system.
SunOS 5.10 12 May 2008 device_allocate(4)