Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
11121314151617181920
2.3.1 .$WLI_FSPARMS$
These metadata files are regular files containing metadata storage types for the file system where
they reside. This file always appears in the root directory of a file system that also contains WLI
metadata. The metadata storage type is indicated by the wmdstoretype parameter. For details, see
wlisys(1M). The following storage types are available:
auto If the file system is VxFS at revision 5.0.1 or later, metadata is stored in a named
stream. A named stream is associated with the protected file inode and not accessible
to most commands. For VxFS file systems at revision 5.0 or earlier and all other file
system types, metadata storage is the same as described in the following entry for
pseudo.
pseudo Metadata is stored separately in files within directories always named
.$WLI_POLICY$, described in the following section. These metadata directories
always reside in the parent directory of the policy protected files.
2.3.2 .$WLI_POLICY$
Directories named .$WLI_POLICY$ contain policy metadata files, and appear if the wmdstoretype
parameter has value pseudo, or the file system type is VxFS 5.0 or earlier. These directories also
appear for all non-VxFS file systems. In addition to write protection, WLI does not allow read
access to all files under directories with this name.
Each file in this directory has the same name as a file that is assigned an access policy through
wlipolicy in the parent directory. For example, if /tmp contains the following files with WLI
access policies:
% ls -l /tmp/JdMB4NJ1 /tmp/T1df07xe
-rw------- 1 joe users 2723 May 4 14:49 /tmp/JdMB4NJ1
-rw------- 1 joe users 8199 Jun 3 20:46 /tmp/T1df07xe
Then, /tmp/ .$WLI_POLICY$ contains the corresponding policy metadata files:
% ls -l /tmp/.\$WLI_POLICY\$
-rw------- 1 joe users 2048 Jul 15 15:29 JdMB4NJ1
-rw------- 1 joe users 2048 Jun 3 20:47 T1df07xe
NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.
2.3.3 .$WLI_SIGNATURE$
Directories named .$WLI_SIGNATURE$ contain signature metadata files. In addition to write
protection, WLI does not allow read access to all files under directories with this name.
Each file in this directory has the same name as a non ELF binary that is signed with wlisign
in the parent directory. For example, if /tmp contains non ELF binaries:
% ls -l CXkiELYm wpSzpxzI
-rw------- 1 joe users 1809 Dec 9 2009 /tmp/CXkiELYm
-rw------- 1 joe users 1809 Mar 21 03:13 /tmp/wpSzpxzI
Then, /tmp/ .$WLI_SIGNATURE$ contains the corresponding signature metadata files:
% ls -l /tmp/.\$WLI_SIGNATURE\$
-rw------- 1 joe users 2048 Jul 15 01:33 /tmp/CXkiELYm
-rw------- 1 joe users 2048 Jul 15 01:36 /tmp/wpSzpxzI
NOTE: The ’\’ escape character is used to escape ‘$’, a special character to shell interpreters.
ELF-formatted binaries signed by wlitool or wlisign store their signature metadata within
a section of the binary file and do not have separate metadata files.
2.3 WLI metadata files 17