Contains security attributes for domain-assigned objects.
The /etc/security/domobjs file is an ASCII stanza file that contains domain-assigned objects and their security attributes. Each stanza in the /etc/security/domobjs file is identified by the full path name to the command, followed by a colon (:) . Each stanza contains attributes in the Attribute=Value form. The path name must be the absolute path to the objects if the object is of type file or device and cannot contain symbolic links . Each Attribute=Value pair is ended by a newline character, and each stanza is ended by an additional newline character. For an example of a stanza, see Examples .
Changes made to the domobjs file do not impact security considerations until the entire domain-assigned object database is sent to the Kernel Security Tables through the setkst command or until the system is rebooted.
Modifying and Listing Entries in the privcmds File
A stanza in this file contains one or more of the following security attributes:
Attribute | Definition |
---|---|
domains | Defines the list of domains that are allowed access to the object. |
conflictsets | Defines the list of domains that are forbidden from accessing the object. |
objtype | Defines the type of the object. Valid values are :
|
secflags | The security flags for the object. Valid values are FSF_DOM_ALL and FSF_DOM_ANY. It modifies the access behaviour only for
the domains attribute. If the value is FSF_DOM_ANY any user/process
having any of the domains listed in the attribute domains can access
the object. The FSF_DOM_ALL mandates that the user/process
accessing the object must have all the domains as listed in the domains
attribute. If not provided the default of FSF_DOM_ALL is assumed. |
The root user and the security group own this file. Read and write access is granted to the root user. Access for other users and groups depends on the security policy for the system.
/usr/local/share/myfile:
domains=INTRANET,APPLICATION
conflictsets=INTERNET
objtype=file
secflags=FSF_DOM_ANY
This entry indicates that a user or process desiring access to this object must belong to one of the domains INTRANET or APPLICATION and should not belong to the INTERNET domain