mac(4)

NAME

mac - Mandatory Access Control

SYNOPSIS

options MAC

DESCRIPTION

Introduction: The Mandatory Access Control, or MAC, framework allows ad; ministrators to
finely control system security by providing for a loadable; security policy architecture. It is important to note that due to its; nature, MAC
security policies may only restrict access relative to one; another and
the base system policy; they cannot override traditional; UNIX security
provisions such as file permissions and superuser checks.; Currently, the following MAC policy modules are shipped with; FreeBSD:; Name Description

Labeling Load

time
mac_biba(4) Biba integrity: pol; icy yes boot
on; ly
mac_bsdextended(4) File system firewall no
any: time
mac_ifoff(4) Interface silencing no
any: time
mac_lomac(4) Low-Watermark MAC: pol; icy yes boot
on; ly
mac_mls(4) Confidentiality: pol; icy yes boot
on; ly
mac_none(4) Sample no-op policy no
any: time
mac_partition(4) Process partition policy yes
any: time
mac_portacl(4) Port bind(2) access control no
any: time
mac_seeotheruids(4) See-other-UIDs policy no
any: time
mac_test(4) MAC testing policy no
any: time
MAC Labels: Each system subject (processes, sockets, etc.) and each sys; tem object
(file system objects, sockets, etc.) can carry with it a MAC; label. MAC
labels contain data in an arbitrary format taken into con; sideration in
making access control decisions for a given operation. Most; MAC labels
on system subjects and objects can be modified directly or; indirectly by
the system administrator. The format for a given policy's; label may vary
depending on the type of object or subject being labeled.; More information on the format for MAC labels can be found in the macla; bel(7) man
page.
MAC Support for UFS2 File Systems: By default, file system enforcement of labeled MAC policies; relies on a
single file system label (see MAC Labels) in order to make; access control
decisions for all the files in a particular file system.; With some policies, this configuration may not allow administrators to; take full advantage of features. In order to enable support for labeling; files on an
individual basis for a particular file system, the ``multil; abel'' flag
must be enabled on the file system. To set the ``multil; abel'' flag, drop
to single-user mode and unmount the file system, then exe; cute the following command:

tunefs -l enable filesystem; where filesystem is either the mount point (in fstab(5)) or; the special
file (in /dev) corresponding to the file system on which to; enable multilabel support.
Policy Enforcement: MAC can be configured to enforce only specific portions of; policies (see
Runtime Configuration). Policy enforcement is divided into; the following
areas of the system:; File System
File system mounts, modifying directories, modifying files,; etc.; KLD
Loading, unloading, and retrieving statistics on loaded ker; nel modules; Network
Network interfaces, bpf(4), packet delivery and transmis; sion, interface
configuration (ioctl(2), ifconfig(8)); Pipes
Creation of and operation on pipe(2) objects; Processes
Debugging (e.g. ktrace(2)), process visibility (ps(1)), pro; cess execution
(execve(2)), signalling (kill(2)); Sockets
Creation of and operation on socket(2) objects; System
Kernel environment (kenv(1)), system accounting (acct(2)),; reboot(2),
settimeofday(2), swapon(2), sysctl(3), nfsd(8)-related oper; ations; VM
mmap(2)-ed files
Setting MAC Labels: From the command line, each type of system object has its; own means for
setting and modifying its MAC policy label.

Subject/Object Utility File system object setfmac(8), setfsmac(8)
Network interface ifconfig(8)
TTY (by login class) login.conf(5)
User (by login class) login.conf(5); Additionally, the su(1) and setpmac(8) utilities can be used; to run a
command with a different process label than the shell's cur; rent label.
Programming With MAC: MAC security enforcement itself is transparent to applica; tion programs,
with the exception that some programs may need to be aware; of additional
errno(2) returns from various system calls.; The interface for retrieving, handling, and setting policy; labels is documented in the mac(3) man page.
Runtime Configuration: The following sysctl(8) MIBs are available for fine-tuning; the enforcement of MAC policies. Unless specifically noted, all MIBs; default to 1
(that is, all areas are enforced by default):; security.mac.enforce_fs Enforce MAC policies for; file system
accesses.
security.mac.enforce_kld Enforce MAC policies on
kld(4).
security.mac.enforce_network Enforce MAC policies on
network inter: faces.
security.mac.enforce_pipe Enforce MAC policies on
pipes.
security.mac.enforce_process Enforce MAC policies be
tween system: processes (e.g. ps(1),; ktrace(2)).
security.mac.enforce_socket Enforce MAC policies on
sockets.
security.mac.enforce_system Enforce MAC policies on
system-related: items (e.g. kenv(1), ac; ct(2),
reboot(2)).
security.mac.enforce_vm Enforce MAC policies on
mmap(2) and: mprotect(2).

HISTORY

The mac implementation first appeared in FreeBSD 5.0 and was
developed by the TrustedBSD Project.

AUTHORS

This software was contributed to the FreeBSD Project by Net
work Associates Labs, the Security Research Division of Network Associ
ates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as
part of the DARPA CHATS research program.

BUGS

See mac(9) concerning appropriateness for production use.
The TrustedBSD MAC Framework is considered experimental in FreeBSD.
While the MAC Framework design is intended to support the
containment of the root user, not all attack channels are currently pro
tected by entry point checks. As such, MAC Framework policies should not be
relied on, in isolation, to protect against a malicious privileged us
er.
BSD January 8, 2003

docs.sk

comprehensive documentation repository

In section

See also

mac(4)

NAME

SYNOPSIS

DESCRIPTION

Labeling Load

SEE ALSO

HISTORY

AUTHORS

BUGS