[smack] chsmack manual en

• 시작하며
• NAME
• SYNOPSIS
• DESCRIPTION
• OPTIONS
• OBSOLETE OPTIONS
• RETURN VALUE
• EXIT STATUS
• "SMACK LABELS"
• EXAMPLES
• "SEE ALSO"

시작하며

smack 과 관련하여 자료정리를 하다가... 제대로된 매뉴얼이 없어 고민했다. 하지만역시 정식 배포사이트에 매뉴얼 문서가 있었음.

• 원본 : https://github.com/smack-team/smack/blob/master/doc/chsmack.8

해당 문서를 보기 좋게 변환하였다.

한글번역(구글번역)본은 다음의 링크를 참고할것.

이전포스팅 : [smack] chsmack manual ko - 한국어번역

...

매뉴얼시작

NAME

chsmack - Change or list the Smack properties of filesystem objects

SYNOPSIS

chsmack [-L] [-r] [--] files...

chsmack [-L] [-r] props... [--] files...

chsmack -d [-L] [-r] [props]... [--] files...

DESCRIPTION

chsmack can be used to query or change the Smack context of a file.

1. First form is used to query the Smack properties of the files.
2. Second form is used to set and reset some Smack properties to the files.
3. Third form is used to remove all or some of the Smack properties of the listed files.

This third form is now obsolete, use second form instead.

Depending on the state and type of the file the different labels, which are stored as extended attributes, have a different effect.

• The access property is always significant. It is used to control how process access the file.
• The mmap property is significant on filesystem object that can be mapped. It is used to control how process mmap the file.
• The exec property apply on executable files (binary or scripts). It take effect when the process is launched and the property will be assigned as the context of the running process.
• Whereas the transmute flag only affects directories and ensures that all files created beneath it have their label set to the label of the directory on which the transmute bit is set.

This process needs to be launched with CAP_MAC_ADMIN capabilities in order to change any of the contexts.

OPTIONS

• -L, --dereference
  • Use this option to process the target of the symbolic links instead of the symbolic links themselves.
• -a, --access label
  • When setting, the label must be set and its value must be a valid Smack label.
  • This context is used to confine the access modes, which are defined by the set rwaxtl, which refer to read, write, append, execute, transmute and lock.
  • The exec here is not to be confused with the -e option listed below.
  • This access mode exec specifies restrictions on who is allowed to launch this process.
  • A common rule for this might look like (launcher application rx) where the --access label is set to application.
  • This would ensure that the process with context launcher would be able to read and execute the binary from the application context.
  • This label is stored in the security.SMACK64 extended attribute.
• -A, --drop-access
  • Drop the access property attached to the file.
  • After that operation, the access property for the file will be the default access property set during the file system mounting or _ if none.
• -e, --exec label
  • When setting, the label must be set and its value must be a valid Smack label.
  • If this file is an application binary, this flag defines the context that it will be launched in.
  • This label is stored in the security.SMACK64EXEC extended attribute.
• -E, --drop-exec
  • Drop the exec property attached to the file.
• -m, --mmap label
  • When setting, the label must be set and its value must be a valid Smack label.
  • A file with the mmap attribute set can only be mapped by processes with access to all of the labels that a process with the mmap label would have access to.
  • This label is stored in the security.SMACK64MMAP extended attribute.
• -M, --drop-mmap
  • Drop the mmap property attached to the file.
• -t, --transmute
  • When used this will set the transmute flag of a directory to True.
  • This will mean that all files and directories created under it will have the same label as the directory.
  • By default all files created by a process are created with the same context label as the process.
  • Transmute provides a very useful feature for sharing access to resources.
  • The common example would be a Docs directory where all documents created by word processors and text editors can be stored.
  • Each of the text editors can open the files and edit them in a shared fashion, while still ensuring that the config files of the editor remain protected.
  • This label is stored in the security.SMACK64TRANSMUTE extended attribute.
• -T, --drop-transmute
  • Drop the transmute property attached to the file.
• -D, --drop
  • Use this option to instruct chsmack to remove all attributes that aren't set by other flags.
  • For example chsmack -a Foo -D would drop all attributes except security.SMACK64.
  • If no property is specified, it means that all the properties will be removed.
• -r, --recursive
  • Use this option to list or modify files in subdirectories.
  • It follows symbolic links only if in the command line.

OBSOLETE OPTIONS

• -d, --remove
  • This option is obsolete, use -D, -A, -M -E, -T instead.
  • Use this option to remove the smack properties of the files. You specify the properties to remove using options -a, -e, -m or -t (or their long version) without putting their label value.
  • If no property is specified, it means that all the properties will be removed.

RETURN VALUE

The current values for the labels will be printed to stdout on success.

EXIT STATUS

A successful call will return 0, where as a non zero value will be returned on error.

"SMACK LABELS"

Smack labels are ASCII character strings, of 1 to 255 characters in length. Single character labels using special characters, that being anything other than a letter or digit, are reserved for use by the Smack development team. Smack labels are unstructured, case sensitive, and the only operation ever performed on them is comparison for equality. Smack labels cannot contain unprintable characters, the '/' (slash), the '\\' (backslash), the "'" (quote) and '"' (double-quote) characters. Smack labels cannot begin with a '-'. This is reserved for special options.

There are some predefined labels:

• _ Pronounced "floor", a single underscore character.
• ^ Pronounced "hat", a single circumflex character.
• * Pronounced "star", a single asterisk character.
• ? Pronounced "huh", a single question mark character.
• @ Pronounced "web", a single at sign character.

EXAMPLES

Here are some examples that may be useful.

chsmack -aUser -D file1 file2

This command set the Smack access property to User and drop any other Smack properties for the files file1 and file2.

chsmack -E -a Nobody file3

This command set the Smack access property to Nobody and drops the exec property for the file file3.

"SEE ALSO"

smackcipso(8), smackctl(8), smackload(8)