Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MAC(4)			 BSD Kernel Interfaces Manual			MAC(4)

     mac -- Mandatory Access Control

     options MAC

     The Mandatory Access Control, or MAC, framework allows administrators to
     finely control system security by providing for a loadable	security pol-
     icy architecture.	It is important	to note	that due to its	nature,	MAC
     security policies may only	further	restrict security; they	cannot over-
     ride traditional UNIX security provisions such as file permissions	and
     superuser checks.

     Currently,	the following MAC policy modules are shipped with FreeBSD:

     Name		    Description			Labeling    Load time
     mac_biba(4)	    Biba integrity policy	yes	    boot only
     mac_bsdextended(4)	    File system	firewall	no	    any	time
     mac_ifoff(4)	    Interface silencing		no	    any	time
     mac_lomac(4)	    Low-Watermark MAC policy	yes	    boot only
     mac_mls(4)		    Confidentiality policy	yes	    boot only
     mac_none(4)	    Sample no-op policy		no	    any	time
     mac_partition(4)	    Process partition policy	yes	    any	time
     mac_seeotheruids(4)    See-other-UIDs policy	no	    any	time
     mac_test(4)	    MAC	testing	policy		no	    any	time

   MAC Labels
     Each system subject (processes, sockets, etc.) and	each system object
     (file system objects, sockets, etc.) can carry with it a MAC label.  MAC
     labels can	contain	data in	an arbitrary format used by the	MAC policies
     in	order to help determine	how to determine access	rights for a given op-
     eration.  Most MAC	labels on system subjects and objects can be modified
     directly or indirectly by the system administrator.  More information on
     the format	for MAC	labels can be found in the maclabel(7) man page.

   Setting MAC labels
     From the command line, each type of system	object has its own means for
     setting and modifying its MAC policy label.

	   Subject/Object	 Utility
	   File	system object	 setfmac(8)
	   Network interface	 ifconfig(8)
	   TTY (by login class)	 login.conf(5)
	   User	(by login class) login.conf(5)

     Additionally, the setpmac(8) command can be used to run a command with a
     different process label than the shell's current label.

   Programming With MAC
     MAC security enforcement itself is	transparent to application programs,
     with the exception	that some programs may need to be aware	of additional
     errno(2) returns from various system calls.

     The interface for retrieving, handling, and setting policy	labels is doc-
     umented in	the mac(3) man page.

     mac(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4),
     mac_mls(4), mac_none(4), mac_partition(4),	mac_seeotheruids(4),
     mac_test(4), login.5, maclabel(7),	getfmac(8), setfmac(8),	getpmac(8),
     setpmac(8), mac(9)

     The mac implementation first appeared in FreeBSD 5.0 and was developed by
     the TrustedBSD Project.

     This software was contributed to the FreeBSD Project by Network Asso-
     ciates Labs, the Security Research	Division of Network Associates Inc.
     under DARPA/SPAWAR	contract N66001-01-C-8035 ("CBOSS"), as	part of	the
     DARPA CHATS research program.

BSD				JANUARY	8, 2003				   BSD


Want to link to this manual page? Use this URL:

home | help