wlisyspolicy.conf.4 (2011 03)
wlisyspolicy.conf(4)
Optional WLI Product Required
wlisyspolicy.conf(4)
NAME
wlisyspolicy.conf - configuration file for WLI file access policies
DESCRIPTION
The file
/etc/wli/wlisyspolicy.conf
contains attribute values that have a system-wide effect on
accessing files with WLI access controls. Read access to this file is determined by the file system mode
access bits. With WLI security enabled, an implicit WLI IBAC policy restricts write access to this file,
allowing only the wlisyspolicy (1M) command to change attribute values.
Attribute values in
/etc/wli/wlisyspolicy.conf
are those that will be in effect following the next
system reboot only. They may or may not agree with current attribute values in effect. Current values
are cached in kernel memory, and are returned as part of the
wlisyspolicy -g response.
This file is instrumental in preventing WLI security degradation without a reboot. All attributes
described in this file have a security level associated with their values. If WLI determines that a net
downgrade in security results from wlisyspolicy (1M) attribute changes, the current values remain in
effect and the changed values are stored in this file to initialize WLI following the next system reboot.
The single section
fap (file access policies
) contains the attributes and their respective values
that will be in effect following reboot:
fap {
flac =flacval
ibac =ibacval
mode =modeval
policydowngrade =
downgradeval
}
FLAC (File Lock Access Control) policies are set on individual regular files and directories with
the wlipolicy (1M) command. The flac attribute affects enforcement of WLI FLAC policies and has two
possible values:
enabled All file FLAC policies will be enforced in accordance with the value of the mode
attribute described below.
disabled All file FLAC policies will not be enforced regardless of the mode attribute
value.
IBAC (Identity based Access Control) policies are set on individual regular files with the
wlipolicy (1M) command. The ibac attribute affects enforcement of WLI IBAC policies and has two pos-
sible values:
enabled All file IBAC policies will be enforced in accordance with the value of the mode
attribute described below.
disabled All file IBAC policies will not be enforced regardless of the mode attribute value.
The
mode attribute has three possible values, and affects how IBAC and FLAC access violations are han-
dled. In order of increasing security, they are:
maintenance Access violations are not reported or enforced, even with IBAC and FLAC poli-
cies enabled.
restricted Access violations are reported and enforced. A violation will result in failure of
the open() on the target file.
The
policydowngrade attribute controls how WLI policy attributes are updated. A change in value of
this attribute results in a security upgrade or downgrade. The permitted values for downgrade are:
immediate All attribute value changes by wlisyspolicy (1M) are in effect immediately,
regardless of whether the outcome results in a security upgrade or downgrade.
deferred Any wlisyspolicy (1M) attribute change that would lead to a security downgrade
is postponed until the system is rebooted. Attribute changes that result in a
security upgrade are immediate.
AUTHOR
The
wlisyspolicy.conf file was developed by HP.
HP-UX 11iv3: Sep 2010 Web Release − 1 − Hewlett-Packard Company 1