/etc/security/domobjs File

Purpose

Contains security attributes for domain-assigned objects.

Description

The /etc/security/domobjs file is an ASCII stanza file that contains domain-assigned objects and their security attributes. Each stanza in the /etc/security/domobjs file is identified by the full path name to the command, followed by a colon (:) . Each stanza contains attributes in the Attribute=Value form. The path name must be the absolute path to the objects if the object is of type file or device and cannot contain symbolic links . Each Attribute=Value pair is ended by a newline character, and each stanza is ended by an additional newline character. For an example of a stanza, see Examples .

Note: Domains are not inheritable.

Changes made to the domobjs file do not impact security considerations until the entire domain-assigned object database is sent to the Kernel Security Tables through the setkst command or until the system is rebooted.

Modifying and Listing Entries in the privcmds File

Do not directly edit the /etc/security/domobjs file. Use the following commands and subroutines to manipulate the authorization database:

setsecattr: Adds a command entry to, or changes a command entry in, the /etc/security/domobjs file.
lssecattr: Displays attributes and their values.
rmsecattr: Removes a command from the domobjs file.

To write programs that affect entries in the /etc/security/domobjs file, use one or more of the following subroutines:

getobjattr
getobjattrs
putobjattr
putobjattrs

Attributes

A stanza in this file contains one or more of the following security attributes:

Attribute	Definition
domains	Defines the list of domains that are allowed access to the object.
conflictsets	Defines the list of domains that are forbidden from accessing the object.
objtype	Defines the type of the object. Valid values are : netint For network interfaces device For block and other devices. The full path to the device should be provided. files For regular files and directories. The full path should be provided to the object name. netport For ports and port ranges. The port number or range of ports should be prefixed with TCP_ or UDP_
secflags	The security flags for the object. Valid values are FSF_DOM_ALL and FSF_DOM_ANY. It modifies the access behaviour only for the domains attribute. If the value is FSF_DOM_ANY any user/process having any of the domains listed in the attribute domains can access the object. The FSF_DOM_ALL mandates that the user/process accessing the object must have all the domains as listed in the domains attribute. If not provided the default of FSF_DOM_ALL is assumed.

Security

The root user and the security group own this file. Read and write access is granted to the root user. Access for other users and groups depends on the security policy for the system.

Examples

The following example for an object displays a typical stanza in the file:

/usr/local/share/myfile:
domains=INTRANET,APPLICATION
conflictsets=INTERNET
objtype=file
secflags=FSF_DOM_ANY

This entry indicates that a user or process desiring access to this object must belong to one of the domains INTRANET or APPLICATION and should not belong to the INTERNET domain