acfsutil sec rule create

Purpose

Creates a security rule.

Syntax and Description

acfsutil sec rule create -h
acfsutil sec rule create rule -m mount_point 
     -t rule_type rule_value
     [-o {ALLOW|DENY}]

acfsutil sec rule create -h displays help text and exits.

Table 16-69 contains the options available with the acfsutil sec rule create command.

Table 16-69 Options for the acfsutil sec rule create command

Option	Description
`rule`	Specifies the name of the rule. If the name contains a space, enclose in quotes (`"` `"`).
`-m` `mount_point`	Specifies the directory where the file system is mounted.
`-t` `rule_type` `rule_value`	Specifies a rule type and a rule value. The rule type can be `application`, `hostname`, `time`, or `username`. The rule value depends on the type of rule. The valid rule types and values are described in this section.
`-o` `option`	Specifies options preceded by `-o`. The option specified can be `ALLOW` or `DENY`. The default value is `DENY`.

The acfsutil sec rule create command creates a new rule in the Oracle ACFS file system specified by the mount point. The new rule can be added to a rule set and that rule set can be added to a security realm.

A maximum of 500 Oracle ACFS security rules can be created.

The rule types and associated rule values are:

application

This rule type specifies the name of an application which is allowed or denied access to the objects protected by a realm.
hostname

This rule type specifies the name of a computer from which a user accesses the objects protected by a realm. Access from a node can be allowed or denied using this rule. The hostname should be one of the cluster node names and not any other external nodes which could have mounted the Oracle ACFS file system as a network File System (NFS) mount.
time

This rule type specifies the time interval in the form start_time,end_time. This time interval specifies access to a realm. Access can be allowed or denied to objects protected by a realm only during certain times of the day by setting this rule in a realm. The time is based on the local time of the host.
username

This rule type specifies the name of a user to be added or deleted from a realm. You can use this option to deny access for any user that belongs to a security group that is part of a realm.

Only a security administrator can run this command.

Examples

The following example shows the use of the acfsutil sec rule create command.

Example 16-63 Using the acfsutil sec rule create command

$ /sbin/acfsutil sec rule create my_security_rule -m /acfsmounts/acfs1
      -t username security_user_one -o ALLOW