mac.conf(5)

NAME

mac.conf - format of the MAC library configuration file

DESCRIPTION

The mac.conf file configures the default label elements to
be used by
policy-agnostic applications that operate on MAC labels. A
file contains
a series of default label sets specified by object class, in
addition to
blank lines and comments preceded by a `#' symbol.
Currently, the implementation supports two syntax styles for
label element declaration. The old (deprecated) syntax consists of a
single line
with two fields separated by white space: the object class
name, and a
list of label elements as used by the mac_prepare(3) library
calls prior
to an application invocation of a function from mac_get(3).
The newer more preferred syntax consists of three fields
separated by
white space: the label group, object class name and a list
of label elements.
Label element names may optionally begin with a `?' symbol
to indicate
that a failure to retrieve the label element for an object
should be
silently ignored, and improves usability if the set of MAC
policies may
change over time.

FILES

/etc/mac.conf MAC library configuration file.

EXAMPLES

The following example configures user applications to oper
ate with four
MAC policies: mac_biba(4), mac_mls(4), SEBSD, and mac_parti
tion(4).

#
# Default label set to be used by simple MAC applica
tions
default_labels file ?biba,?lomac,?mls,?sebsd
default_labels ifnet ?biba,?lomac,?mls,?sebsd
default_labels process ?biba,?lomac,?mls,?parti
tion,?sebsd
default_labels socket ?biba,?lomac,?mls
#
# Deprecated (old) syntax
default_file_labels ?biba,?mls,?sebsd
default_ifnet_labels ?biba,?mls,?sebsd
default_process_labels ?biba,?mls,partition,?sebsd
In this example, userland applications will attempt to re
trieve Biba,
MLS, and SEBSD labels for all object classes; for processes,
they will
additionally attempt to retrieve a Partition identifier. In
all cases
except the Partition identifier, failure to retrieve a label
due to the
respective policy not being present will be ignored.

SEE ALSO

mac(3), mac_get(3), mac_prepare(3), mac(4), mac(9)

HISTORY

Support for Mandatory Access Control was introduced in
FreeBSD 5.0 as
part of the TrustedBSD Project.

BUGS

The TrustedBSD MAC Framework and associated policies, inter
faces, and
applications are considered to be an experimental feature in
FreeBSD.
Sites considering production deployment should keep the ex
perimental status of these services in mind during any deployment process.
See also
mac(9) for related considerations regarding the kernel
framework.
BSD April 19, 2003
Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout