mac.conf(5)
NAME
mac.conf - format of the MAC library configuration file
DESCRIPTION
- The mac.conf file configures the default label elements to
- be used by
policy-agnostic applications that operate on MAC labels. A - file contains
a series of default label sets specified by object class, in - addition to
blank lines and comments preceded by a `#' symbol. - Currently, the implementation supports two syntax styles for
- label element declaration. The old (deprecated) syntax consists of a
- single line
with two fields separated by white space: the object class - name, and a
list of label elements as used by the mac_prepare(3) library - calls prior
to an application invocation of a function from mac_get(3). - The newer more preferred syntax consists of three fields
- separated by
white space: the label group, object class name and a list - of label elements.
- Label element names may optionally begin with a `?' symbol
- to indicate
that a failure to retrieve the label element for an object - should be
silently ignored, and improves usability if the set of MAC - policies may
change over time.
FILES
/etc/mac.conf MAC library configuration file.
EXAMPLES
- The following example configures user applications to oper
- ate with four
MAC policies: mac_biba(4), mac_mls(4), SEBSD, and mac_parti - tion(4).
#
# Default label set to be used by simple MAC applica- tions
- default_labels file ?biba,?lomac,?mls,?sebsd
default_labels ifnet ?biba,?lomac,?mls,?sebsd
default_labels process ?biba,?lomac,?mls,?parti - tion,?sebsd
default_labels socket ?biba,?lomac,?mls - #
# Deprecated (old) syntax - default_file_labels ?biba,?mls,?sebsd
default_ifnet_labels ?biba,?mls,?sebsd
default_process_labels ?biba,?mls,partition,?sebsd - In this example, userland applications will attempt to re
- trieve Biba,
MLS, and SEBSD labels for all object classes; for processes, - they will
additionally attempt to retrieve a Partition identifier. In - all cases
except the Partition identifier, failure to retrieve a label - due to the
respective policy not being present will be ignored.
SEE ALSO
mac(3), mac_get(3), mac_prepare(3), mac(4), mac(9)
HISTORY
- Support for Mandatory Access Control was introduced in
- FreeBSD 5.0 as
part of the TrustedBSD Project.
BUGS
- The TrustedBSD MAC Framework and associated policies, inter
- faces, and
applications are considered to be an experimental feature in - FreeBSD.
Sites considering production deployment should keep the ex - perimental status of these services in mind during any deployment process.
- See also
mac(9) for related considerations regarding the kernel - framework.
- BSD April 19, 2003