lstxattr Command

Purpose

Lists the security attributes of a file, directory, process, or interprocess communication (IPC).

Syntax

lstxattr { -f | -m | -p | -q | -s } [ -C | -F ] [ -a List ] { Name [ ,Name ] … }

Description

The lstxattr command lists Trusted AIX® security attributes of the file, process, shared memory, message queue or semaphore that is specified by the Name parameter. The command interprets the Name parameter as either a file, process, shared memory, message queue or semaphore based on whether the -f (file), -p (process), -m (shared memory), -q (message queue) or -s (semaphore) flag is specified.

By default, the lstxattr command displays all the security attributes for the specified object. To view the selected attributes, use the -a List flag.

By default, the security attributes are listed on one line. The command displays the attribute information as Attribute = Value definitions, each separated by a blank space. To list the attributes in stanza format, use the -F flag. To list the attributes as colon-separated records, use the -C flag.

Flags

Item Description
-a List Lists the attributes to display. The List variable requires a blank space between attributes to list multiple attributes. If you specify an empty list, the command displays only the object names. The attributes that can be listed in the List variable are dependent on which one of the -f, -p, -m, -q or -s flags that you specified.
Use the following file security attributes for the -f flag:
sl
Sensitivity Label. If specified for a non-regular file, the command lists both the maximum and minimum sensitivity labels.
maxsl
Maximum Sensitivity Label. If specified for regular files, the command lists the sl value.
minsl
Minimum Sensitivity Label. If specified for regular files, the command lists the sl value.
tl
Integrity Label.
secflags
Trusted AIX file security flags.
Use the following process security attributes for the -p flag:
effsl
Effective Sensitivity Label.
maxcl
Maximum Sensitivity Clearance Label.
mincl
Minimum Sensitivity Clearance Label.
efftl
Effective Integrity Label.
maxtl
Maximum Integrity Label.
mintl
Minimum Integrity Label.
Use the following security attributes for the -q, -m, and -s flags:
sl
Sensitivity Label.
tl
Integrity Label.
-C Displays the privileged security attributes in colon-separated records in the following way:
#name:attribute1:attribute2: ...
name:value1:value2: ...
name:value1:value2: ...
The output is preceded by a comment line that lists details about the attribute represented in each colon-separated field. If you specify the -a flag, the order of the attributes matches the order specified in the -a flag. If an object does not have a value for a given attribute, the field is still displayed but is empty. The last field in each entry is ended by a newline character rather than a colon.
-f Lists the security attributes of a file. The Name parameter specifies the path to this file on the system.
-F Displays the output in stanza format, with each stanza identified by a object name. Each Attribute = Value pair is listed on a separate line:
Name:
        attribute1=value
        attribute2=value
        attribute3=value
-m Lists the security attributes of a shared memory. The Name parameter specifies the numeric shared memory identifier on the system.
-p Lists the security attributes of a process. The Name parameter specifies the numeric process identifier (PID) of an active process on the system.
-q Lists the security attributes of a message queue. The Name parameter specifies the numeric message queue identifier on the system.
-s Lists the security attributes of a semaphore. The Name parameter specifies the numeric semaphore identifier on the system.

Parameters

Item Description
Name The object to list. The Name parameter is interpreted according to which one of the -f, -p, -m, -q or -s flags that you specified.

Security

The lstxattr command is a privileged command. It is owned by the root user and the security group, with the mode set to 755.
Restriction: The binary labels of the objects are interpreted as human-readable format and depend on the values in the /etc/security/enc/LabelEncodings file. If the conversion fails, you must have the following authorizations:
  • aix.mls.stat authorizations for listing the binary labels of files and IPC objects
  • aix.mls.proc authorizations for listing the binary labels of processes

Files Accessed:

Item Description
Mode File
r /etc/security/enc/LabelEncodings

Examples

  1. To list all the attributes of the regfile file, enter the following command:
    lstxattr –f regfile
  2. To list the maximum sensitivity, minimum sensitivity and integrity labels of the dirname directory, enter the following command:
    lstxattr –f -a maxsl minsl tl dirname
  3. To list the labels of a message-queue IPC object with "0" as the message queue ID, enter the following command:
    lstxattr –q –a sl tl 0
  4. To list the labels of a shared-memory IPC object with "3145728" as the shared memory ID, enter the following command:
    lstxattr –m –a sl tl 3145728