C.3.4 Disabling a FLAC policy
After reboot of the system, the final task for WLI configuration, WLI is in the highest security state. To disable FLAC policy enforcement:
1.The administrator removes
%wlisyspolicy
%wlisyspolicy
The wlisyspolicy command returns a message indicating a reboot is necessary for the security downgrade to be in effect if the downgrade attribute has value deferred.
2.The administrator removes /home/usr1/usr.pub authorization:
% wlicert
C.3.5 Removing a FLAC policy
To remove a FLAC policy as user:
%wlipolicy
To remove a FLAC policy as administrator:
%wlipolicy
C.4 IBAC policies
An IBAC policy prevents a regular file or directory from being accessed by all binary executables except those explicitly identified. The access restrictions apply to all users including root user. Multiple IBAC policies can be assigned to a file. A user must own a file to assign it an IBAC policy. In the following example, the file /tmp/secret is assigned an IBAC policy allowing /usr/bin/cat access. The administrator private key is /home/adm/adm.pvt. The user private key file is /home/usr1/usr.pvt and the user public key file is /home/usr1/usr.pub.
C.4.1 Creating an IBAC policy
A binary executable must be signed to be specified in an IBAC policy. To sign /usr/bin/cat:
%wlisign -a -k /home/usr1/usr.pvt /usr/bin/cat
The user must have write permission on /usr/bin/cat. Normally only root with user ID 0 can generate this signature.
To generate the IBAC policy:
%wlipolicy
A prompt appears for the passphrase for /home/usr1/usr.pvt in both previous operations.
C.4.2 Enabling an IBAC policy
To enforce the IBAC policy:
%wlicert
A prompt appears for the passphrase for /home/adm/adm.pvt.
C.4.3 Testing an IBAC policy
For example, the IBAC created and enabled in the previous example is tested. Assume /tmp/ secret has only the IBAC policy for /usr/bin/cat, as assigned in the previous example. Verify
%wlisyspolicy -g
The returned messages must include:
C.4 IBAC policies 55