.Dd 11/14/11 \" DATE .Dt spctl 8 \" Program name and manual section number .Os Darwin .Sh NAME \" Section Header - required - don't modify .Nm spctl .Nd SecAssessment system policy security .Sh SYNOPSIS \" Section Header - required - don't modify .Nm .Ar --assess .Op Fl t Ar type .Op Fl Dv .Ar .Nm .Ar --enable | --disable .Nm .Ar --status .Sh DESCRIPTION \" Section Header - required - don't modify .Nm manages the security assessment policy subsystem. This subsystem maintains and evaluates rules that determine whether the system allows the installation, execution, and other operations on files on the system. .Sh OPTIONS .Nm requires one command option that determines its principal operation: .Bl -tag -width -indent \" Differs from above in tag removed .It Fl a, -assess Requests that .Nm perform an assessment on the .Ar files given. .It Fl -enable Enable the assessment subsystem. Operations that are denied by system policy will fail. Requires root access. .It Fl -disable Disable the assessment subsystem. Operations that would be denied by system policy will be allowed to proceed. Requires root access. .It Fl -status Query whether the assessment subsystem is enabled or disabled. .El \" Ends the list In addition, the following options are recognized: .Bl -tag -width -indent \" Differs from above in tag removed .It Fl -continue If the assessment of a file fails, continue assessing additional file arguments. Without this option, the first failed assessment terminates operation. .It Fl -ignore-cache Do not query or use the assessment object cache. This may significantly slow down operation. Newly generated assessments may still be stored in the cache. .It Fl -no-cache Do not place the outcome of any assessments into the assessment object cache. No other assessment may reuse this outcome. This option not prohibit the use of existing cache entries. .It Fl -raw When displaying the outcome of an assessment, write it as a "raw" XML plist instead of parsing it in somewhat more friendly form. This is useful when used in scripts, or to access newly invented assessment aspects that .Nm does not yet know about. .It Fl t, -type Specify which type of assessment is desired: .Ar execute to assess code execution, .Ar install to assess installation of an installer package, and .Ar open to assess the opening of documents. The default is to assess execution. .It Fl v, -verbose Requests more verbose output. Repeat the option or give it a higher numeric value to increase verbosity. .El \" Ends the list .Pp .Sh FILES \" File used or created by the topic of the man page .Bl -tag -width "/var/db/SystemPolicy" -compact .It Pa /var/db/SystemPolicy The system policy database. .El \" Ends the list .Sh DIAGNOSTICS \" May not be needed .Bl -diag .Nm exits zero on success, or one if an operation has failed. Exit code two indicates unrecognized or unsuitable arguments. If an assessment operation results in denial but no other problem has occurred, the exit code is three. .Sh SEE ALSO .Xr syspolicyd 8 .Xr codesign 1 .\" .Sh BUGS \" Document known, unremedied bugs .Sh HISTORY \" Document history if command behaves in a unique manner The system policy facility and .Nm command first appeared in Mac OS X Lion 10.7.3 as a limited developer preview.