spctl.8   [plain text]


.Dd 11/14/11               \" DATE 
.Dt spctl 8      \" Program name and manual section number 
.Os Darwin
.Sh NAME                 \" Section Header - required - don't modify 
.Nm spctl
.Nd SecAssessment system policy security
.Sh SYNOPSIS             \" Section Header - required - don't modify
.Nm
.Ar --assess
.Op Fl t Ar type
.Op Fl Dv
.Ar
.Nm
.Ar --enable | --disable
.Nm
.Ar --status

.Sh DESCRIPTION          \" Section Header - required - don't modify
.Nm
manages the security assessment policy subsystem. This subsystem maintains and evaluates
rules that determine whether the system allows the installation, execution,
and other operations on files on the system.
.Sh OPTIONS
.Nm
requires one command option that determines its principal operation:
.Bl -tag -width -indent  \" Differs from above in tag removed 
.It Fl a, -assess
Requests that
.Nm
perform an assessment on the
.Ar files
given.
.It Fl -enable
Enable the assessment subsystem. Operations that are denied by system policy will fail.
Requires root access.
.It Fl -disable
Disable the assessment subsystem. Operations that would be denied by system policy will
be allowed to proceed.
Requires root access.
.It Fl -status
Query whether the assessment subsystem is enabled or disabled.
.El                      \" Ends the list

In addition, the following options are recognized:

.Bl -tag -width -indent  \" Differs from above in tag removed 
.It Fl -continue
If the assessment of a file fails, continue assessing additional file arguments.
Without this option, the first failed assessment terminates operation.
.It Fl -ignore-cache
Do not query or use the assessment object cache. This may significantly slow down operation.
Newly generated assessments may still be stored in the cache.
.It Fl -no-cache
Do not place the outcome of any assessments into the assessment object cache. No other assessment
may reuse this outcome. This option not prohibit the use of existing cache entries.
.It Fl -raw
When displaying the outcome of an assessment, write it as a "raw" XML plist instead of parsing it
in somewhat more friendly form. This is useful when used in scripts, or to access newly invented
assessment aspects that
.Nm
does not yet know about.
.It Fl t, -type
Specify which type of assessment is desired:
.Ar execute
to assess code execution,
.Ar install
to assess installation of an installer package, and
.Ar open
to assess the opening of documents. The default is to assess execution.
.It Fl v, -verbose
Requests more verbose output. Repeat the option or give it a higher numeric value to increase verbosity.
.El                      \" Ends the list
.Pp
.Sh FILES                \" File used or created by the topic of the man page
.Bl -tag -width "/var/db/SystemPolicy" -compact
.It Pa /var/db/SystemPolicy
The system policy database.
.El                      \" Ends the list
.Sh DIAGNOSTICS       \" May not be needed
.Bl -diag
.Nm
exits zero on success, or one if an operation has failed. Exit code two indicates
unrecognized or unsuitable arguments. If an assessment operation results in denial
but no other problem has occurred, the exit code is three.
.Sh SEE ALSO 
.Xr syspolicyd 8
.Xr codesign 1
.\" .Sh BUGS              \" Document known, unremedied bugs 
.Sh HISTORY           \" Document history if command behaves in a unique manner
The system policy facility and
.Nm
command first appeared in Mac OS X Lion 10.7.3 as a limited developer preview.