FreeBSD Manual Pages
MAC(4) BSD Kernel Interfaces Manual MAC(4) NAME mac -- Mandatory Access Control SYNOPSIS options MAC DESCRIPTION Introduction The Mandatory Access Control, or MAC, framework allows administrators to finely control system security by providing for a loadable security pol- icy architecture. It is important to note that due to its nature, MAC security policies may only further restrict security; they cannot over- ride traditional UNIX security provisions such as file permissions and superuser checks. Currently, the following MAC policy modules are shipped with FreeBSD: Name Description Labeling Load time mac_biba(4) Biba integrity policy yes boot only mac_bsdextended(4) File system firewall no any time mac_ifoff(4) Interface silencing no any time mac_lomac(4) Low-Watermark MAC policy yes boot only mac_mls(4) Confidentiality policy yes boot only mac_none(4) Sample no-op policy no any time mac_partition(4) Process partition policy yes any time mac_seeotheruids(4) See-other-UIDs policy no any time mac_test(4) MAC testing policy no any time MAC Labels Each system subject (processes, sockets, etc.) and each system object (file system objects, sockets, etc.) can carry with it a MAC label. MAC labels can contain data in an arbitrary format used by the MAC policies in order to help determine how to determine access rights for a given op- eration. Most MAC labels on system subjects and objects can be modified directly or indirectly by the system administrator. More information on the format for MAC labels can be found in the maclabel(7) man page. Setting MAC labels From the command line, each type of system object has its own means for setting and modifying its MAC policy label. Subject/Object Utility File system object setfmac(8) Network interface ifconfig(8) TTY (by login class) login.conf(5) User (by login class) login.conf(5) Additionally, the setpmac(8) command can be used to run a command with a different process label than the shell's current label. Programming With MAC MAC security enforcement itself is transparent to application programs, with the exception that some programs may need to be aware of additional errno(2) returns from various system calls. The interface for retrieving, handling, and setting policy labels is doc- umented in the mac(3) man page. SEE ALSO mac(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4), mac_mls(4), mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4), login.5, maclabel(7), getfmac(8), setfmac(8), getpmac(8), setpmac(8), mac(9) HISTORY The mac implementation first appeared in FreeBSD 5.0 and was developed by the TrustedBSD Project. AUTHORS This software was contributed to the FreeBSD Project by Network Asso- ciates Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program. BSD JANUARY 8, 2003 BSD
NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | HISTORY | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=mac&sektion=4&manpath=FreeBSD+5.0-RELEASE>