device_allocate(4)
NAME
device_allocate - device_allocate file
SYNOPSIS
/etc/security/device_allocate
DESCRIPTION
The device_allocate file contains mandatory access control
information about each physical device. Each device is
represented by a one line entry of the form:
device-name;device-
type;reserved;reserved;auths;device-exec
where
device-name
This is an arbitrary ASCII string naming the physical
device. This field contains no embedded white space or
non-printable characters.
device-type
This is an arbitrary ASCII string naming the generic
device type. This field identifies and groups together
devices of like type. This field contains no embedded
white space or non-printable characters.
reserved
This field is reserved for future use.
reserved
This field is reserved for future use.
auths This field contains a comma-separated list of authori-
zations required to allocate the device, or asterisk
(*) to indicate that the device is not allocatable, or
an '@' symbol to indicate that no explicit authoriza-
tion is needed to allocate the device.
The default authorization is solaris.device.allocate.
See auths(1)
device-exec
This is the physical device's data purge program to be
run any time the device is acted on by allocate(1).
This is to ensure that all usable data is purged from
the physical device before it is reused. This field
contains the filename of a program in
/etc/security/lib or the full pathname of a cleanup
script provided by the system administrator.
The device_allocate file is an ASCII file that resides in
the /etc/security directory.
Lines in device_allocate can end with a `\' to continue an
entry on the next line.
Comments may also be included. A `#' makes a comment of all
further text until the next NEWLINE not immediately preceded
by a `\'.
White space is allowed in any field.
The device_allocate file must be created by the system
administrator before device allocation is enabled.
The device_allocate file is owned by root, with a group of
sys, and a mode of 0644.
EXAMPLES
Example 1: Declaring an allocatable device
Declare that physical device st0 is a type st. st is allo-
catable, and the script used to clean the device after run-
ning deallocate(1) is named /etc/security/lib/st_clean.
# scsi tape
st0;\
st;\
reserved;\
reserved;\
solaris.device.allocate;\
/etc/security/lib/st_clean
Example 2: Declaring an allocatable device with authoriza-
tions
Declare that physical device fd0 is of type fd. fd is allo-
catable by users with the solaris.device.allocate authoriza-
tion, and the script used to clean the device after running
deallocate(1) is named /etc/security/lib/fd_clean.
# floppy drive
fd0;\
fd;\
reserved;\
reserved;\
solaris.device.allocate;\
/etc/security/lib/fd_clean
Notice that making a device allocatable means that you need
to allocate and deallocate it to use it (with allocate(1)
and deallocate(1)). If a device is not allocatable, there
will be an asterisk (*) in the auths field, and no one can
use the device.
FILES
/etc/security/device_allocate
Contains list of allocatable devices
SEE ALSO
auths(1), allocate(1), bsmconv(1M), deallocate(1),
list_devices(1), auth_attr(4)
NOTES
The functionality described in this man page is available
only if the Basic Security Module (BSM) has been enabled.
See bsmconv(1M) for more information.
Man(1) output converted with
man2html