Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MAC(4)			 BSD Kernel Interfaces Manual			MAC(4)

     mac -- Mandatory Access Control

     options MAC

     The Mandatory Access Control, or MAC, framework allows administrators to
     finely control system security by providing for a loadable	security pol-
     icy architecture.	It is important	to note	that due to its	nature,	MAC
     security policies may only	restrict access	relative to one	another	and
     the base system policy; they cannot override traditional UNIX security
     provisions	such as	file permissions and superuser checks.

     Currently,	the following MAC policy modules are shipped with FreeBSD:

     Name		    Description			Labeling    Load time
     mac_biba(4)	    Biba integrity policy	yes	    boot only
     mac_bsdextended(4)	    File system	firewall	no	    any	time
     mac_ifoff(4)	    Interface silencing		no	    any	time
     mac_lomac(4)	    Low-Watermark MAC policy	yes	    boot only
     mac_mls(4)		    Confidentiality policy	yes	    boot only
     mac_none(4)	    Sample no-op policy		no	    any	time
     mac_partition(4)	    Process partition policy	yes	    any	time
     mac_portacl(4)	    Port bind(2) access	control	no	    any	time
     mac_seeotheruids(4)    See-other-UIDs policy	no	    any	time
     mac_test(4)	    MAC	testing	policy		no	    any	time

   MAC Labels
     Each system subject (processes, sockets, etc.) and	each system object
     (file system objects, sockets, etc.) can carry with it a MAC label.  MAC
     labels contain data in an arbitrary format	taken into consideration in
     making access control decisions for a given operation.  Most MAC labels
     on	system subjects	and objects can	be modified directly or	indirectly by
     the system	administrator.	The format for a given policy's	label may vary
     depending on the type of object or	subject	being labeled.	More informa-
     tion on the format	for MAC	labels can be found in the maclabel(7) man

   MAC Support for UFS2	File Systems
     By	default, file system enforcement of labeled MAC	policies relies	on a
     single file system	label (see MAC Labels) in order	to make	access control
     decisions for all the files in a particular file system.  With some poli-
     cies, this	configuration may not allow administrators to take full	advan-
     tage of features.	In order to enable support for labeling	files on an
     individual	basis for a particular file system, the	"multilabel" flag must
     be	enabled	on the file system.  To	set the	"multilabel" flag, drop	to
     single-user mode and unmount the file system, then	execute	the following

	   tunefs -l enable filesystem

     where filesystem is either	the mount point	(in fstab(5)) or the special
     file (in /dev) corresponding to the file system on	which to enable	multi-
     label support.

   Policy Enforcement
     Policy enforcement	is divided into	the following areas of the system:

     File System
     File system mounts, modifying directories,	modifying files, etc.

     Loading, unloading, and retrieving	statistics on loaded kernel modules

     Network interfaces, bpf(4), packet	delivery and transmission, interface
     configuration (ioctl(2), ifconfig(8))

     Creation of and operation on pipe(2) objects

     Debugging (e.g. ktrace(2)), process visibility (ps(1)), process execution
     (execve(2)), signalling (kill(2))

     Creation of and operation on socket(2) objects

     Kernel environment	(kenv(1)), system accounting (acct(2)),	reboot(2),
     settimeofday(2), swapon(2), sysctl(3), nfsd(8)-related operations

     mmap(2)-ed	files

   Setting MAC Labels
     From the command line, each type of system	object has its own means for
     setting and modifying its MAC policy label.

	   Subject/Object	    Utility
	   File	system object	    setfmac(8),	setfsmac(8)
	   Network interface	    ifconfig(8)
	   TTY (by login class)	    login.conf(5)
	   User	(by login class)    login.conf(5)

     Additionally, the su(1) and setpmac(8) utilities can be used to run a
     command with a different process label than the shell's current label.

   Programming With MAC
     MAC security enforcement itself is	transparent to application programs,
     with the exception	that some programs may need to be aware	of additional
     errno(2) returns from various system calls.

     The interface for retrieving, handling, and setting policy	labels is doc-
     umented in	the mac(3) man page.

     mac(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4),
     mac_mls(4), mac_none(4), mac_partition(4),	mac_portacl(4),
     mac_seeotheruids(4), mac_test(4), login.conf(5), maclabel(7), getfmac(8),
     getpmac(8), setfmac(8), setpmac(8), mac(9)

     "Mandatory	Access Control", The FreeBSD Handbook,

     The mac implementation first appeared in FreeBSD 5.0 and was developed by
     the TrustedBSD Project.

     This software was contributed to the FreeBSD Project by Network Asso-
     ciates Labs, the Security Research	Division of Network Associates Inc.
     under DARPA/SPAWAR	contract N66001-01-C-8035 ("CBOSS"), as	part of	the
     DARPA CHATS research program.

     See mac(9)	concerning appropriateness for production use.	The TrustedBSD
     MAC Framework is considered experimental in FreeBSD.

     While the MAC Framework design is intended	to support the containment of
     the root user, not	all attack channels are	currently protected by entry
     point checks.  As such, MAC Framework policies should not be relied on,
     in	isolation, to protect against a	malicious privileged user.

BSD			       October 30, 2007				   BSD


Want to link to this manual page? Use this URL:

home | help