CLEARANCE(4) CLEARANCE(4) NAME clearance - user clearance label information file DESCRIPTION The /etc/clearance file contains the following information for each user: name User's login name - contains no upper case characters and must not be greater than eight characters long. The name must be unique. default security label It is used as the default label when the user doesn't specify the label at login time. If this field doesn't exist the user will be forced to enter their security label. This field cannot be a label range. This label lie within the range of the security clearance label field. security clearance label Security clearance range or range(s) can be defined. An entry beginning with # is ignored as a comment. The clearance file is an ASCII character file. Each field within an entry is separated from the next field by a colon. Each user entry is separated from the next by a new-line. The name field is the key between the the clearance(4) and the passwd(4) file. So both files need to have entries to validate users. The default security label field is the label at which the user of the account will login at if they don't choose a security label when prompted during the log in process. If the default security label field is null the user must then explicitly enter a security label that is valid label in the security clearance label field before being allowed to log in. A security range is not permitted in the default label field. If the security clearance label field is null, that user will have an invalid label. A user with an invalid label will not be allowed to log in. If any incorrectly formed security label is detected in the security clearance label field the whole field is considered invalid. Multiple security clearance(s) can be declared within the security clearance field. The syntax for defining multiple security clearance(s) is that a blank space separates the security clearance(s) and three (3) periods ("...") defines a security range. For example, "dblow...dbadmin" is a security range with the lowest label on the right and the highest label on the left. A single security clearance range can be denoted by using the security label "userlow" or "userlow...userlow". Single label security clearance(s) and security clearance range(s) can be mixed. Because of the security label information, access to this file is restricted to trusted programs. EXAMPLES Here is a example /etc/clearance file : Betty:adminlabel midlabel...highlabel lowlabel Bubba:lowlabel midlabel adminlabel Bubbles:lowlabel...midlabel highlabel...adminlabel Betty is cleared for lowlabel, the label range from midlabel to highlabel, and adminlabel. Bubba is cleared for lowlabel, midlabel and adminlabel only (notice no clearance ranges). Bubbles is cleared for the security ranges between lowlabel to midlabel and highlabel to adminlabel. duck:userlow:userlow dblow...dblow bill:userlow dblow...dbadmin In this example, there are specific entries for users duck and bill. Duck has a security default label of "userlow" which must be a valid label in the clearance field and has the ability to login with a security label of "dblow". Note : "dblow...dblow" is equal to "dblow" since a single security label is really a security range that only spans one security label. The bill account has not specified a default security label which means that the account bill must explicitly specify the security label that they wish to login at. FILES /etc/clearance SEE ALSO a64l(3C), crypt(3), fgetpwent(3), getuserinfoent(3), group(4), login(1), mac_cleared(3C), netgroup(4) and passwd(4). Page 2