FreeBSD Man PagesIndex:
CPU_ELAN(4)CPU_SOEKRIS(4)
aac(4)
acd(4)
acpi(4)
acpi_asus(4)
acpi_panasonic(4)
acpi_thermal(4)
acpi_toshiba(4)
acpi_video(4)
ad(4)
adv(4)
adw(4)
afd(4)
agp(4)
agpgart(4)
aha(4)
ahb(4)
ahc(4)
ahd(4)
aic(4)
aio(4)
alpm(4)
altq(4)
amd(4)
amdpm(4)
amr(4)
an(4)
apm(4)
ar(4)
arcmsr(4)
arl(4)
arp(4)
asr(4)
ast(4)
ata(4)
atapicam(4)
ath(4)
ath_hal(4)
atkbd(4)
atkbdc(4)
aue(4)
awi(4)
axe(4)
bfe(4)
bge(4)
bktr(4)
blackhole(4)
bpf(4)
bridge(4)
brooktree(4)
bt(4)
cam(4)
card(4)
cardbus(4)
carp(4)
cbb(4)
ccd(4)
cd(4)
cdce(4)
ch(4)
ciss(4)
cm(4)
cnw(4)
cp(4)
cpufreq(4)
crypto(4)
cryptodev(4)
cs(4)
ct(4)
ctau(4)
cue(4)
cx(4)
cy(4)
da(4)
dc(4)
dcons(4)
dcons_crom(4)
ddb(4)
de(4)
devctl(4)
digi(4)
disc(4)
divert(4)
dpt(4)
dummynet(4)
ed(4)
ef(4)
ehci(4)
el(4)
em(4)
en(4)
ep(4)
esp(4)
ex(4)
exca(4)
faith(4)
fast_ipsec(4)
fatm(4)
fd(4)
fdc(4)
fe(4)
fea(4)
firewire(4)
fla(4)
fpa(4)
fwe(4)
fwip(4)
fwohci(4)
fxp(4)
gbde(4)
gdb(4)
gem(4)
geom(4)
gif(4)
gre(4)
gx(4)
harp(4)
hatm(4)
hfa(4)
hifn(4)
hme(4)
hptmv(4)
i4b(4)
i4bcapi(4)
i4bctl(4)
i4bing(4)
i4bipr(4)
i4bisppp(4)
i4bq921(4)
i4bq931(4)
i4brbch(4)
i4btel(4)
i4btrc(4)
iavc(4)
ichsmb(4)
ichwd(4)
icmp(4)
icmp6(4)
ida(4)
idt(4)
ie(4)
ieee80211(4)
if_an(4)
if_aue(4)
if_awi(4)
if_axe(4)
if_bfe(4)
if_bge(4)
if_cue(4)
if_dc(4)
if_de(4)
if_disc(4)
if_ed(4)
if_ef(4)
if_em(4)
if_en(4)
if_faith(4)
if_fatm(4)
if_fwe(4)
if_fwip(4)
if_fxp(4)
if_gem(4)
if_gif(4)
if_gre(4)
if_gx(4)
if_hatm(4)
if_hme(4)
if_idt(4)
if_kue(4)
if_lge(4)
if_my(4)
if_ndis(4)
if_nge(4)
if_oltr(4)
if_patm(4)
if_pcn(4)
if_ppp(4)
if_re(4)
if_rl(4)
if_rue(4)
if_sbni(4)
if_sbsh(4)
if_sf(4)
if_sis(4)
if_sk(4)
if_sl(4)
if_sn(4)
if_ste(4)
if_stf(4)
if_tap(4)
if_ti(4)
if_tl(4)
if_tun(4)
if_tx(4)
if_txp(4)
if_udav(4)
if_vge(4)
if_vlan(4)
if_vr(4)
if_wb(4)
if_wi(4)
if_xe(4)
if_xl(4)
ifmib(4)
ifpi(4)
ifpi2(4)
ifpnp(4)
ihfc(4)
iic(4)
iicbb(4)
iicbus(4)
iicsmb(4)
iir(4)
imm(4)
inet(4)
inet6(4)
intpm(4)
intro(4)
io(4)
ip(4)
ip6(4)
ipaccounting(4)
ipacct(4)
ipf(4)
ipfirewall(4)
ipfw(4)
ipl(4)
ipnat(4)
ips(4)
ipsec(4)
isic(4)
isp(4)
ispfw(4)
itjc(4)
iwic(4)
ixgb(4)
joy(4)
kame(4)
keyboard(4)
kld(4)
kmem(4)
ktr(4)
kue(4)
led(4)
lge(4)
linux(4)
lnc(4)
lo(4)
longrun(4)
loop(4)
lp(4)
lpbb(4)
lpt(4)
mac(4)
mac_biba(4)
mac_bsdextended(4)
mac_ifoff(4)
mac_lomac(4)
mac_mls(4)
mac_none(4)
mac_partition(4)
mac_portacl(4)
mac_seeotheruids(4)
mac_stub(4)
mac_test(4)
mcd(4)
md(4)
mem(4)
meteor(4)
miibus(4)
mlx(4)
mly(4)
mouse(4)
mpt(4)
mse(4)
mtio(4)
multicast(4)
my(4)
natm(4)
natmip(4)
ncr(4)
ncv(4)
ndis(4)
net(4)
netgraph(4)
netintro(4)
networking(4)
ng_UI(4)
ng_async(4)
ng_atm(4)
ng_atmllc(4)
ng_atmpif(4)
ng_bluetooth(4)
ng_bpf(4)
ng_bridge(4)
ng_bt3c(4)
ng_btsocket(4)
ng_ccatm(4)
ng_cisco(4)
ng_device(4)
ng_echo(4)
ng_eiface(4)
ng_etf(4)
ng_ether(4)
ng_fec(4)
ng_frame_relay(4)
ng_gif(4)
ng_gif_demux(4)
ng_h4(4)
ng_hci(4)
ng_hole(4)
ng_hub(4)
ng_iface(4)
ng_ip_input(4)
ng_ksocket(4)
ng_l2cap(4)
ng_l2tp(4)
ng_lmi(4)
ng_mppc(4)
ng_netflow(4)
ng_one2many(4)
ng_ppp(4)
ng_pppoe(4)
ng_pptpgre(4)
ng_rfc1490(4)
ng_socket(4)
ng_split(4)
ng_sppp(4)
ng_sscfu(4)
ng_sscop(4)
ng_tee(4)
ng_tty(4)
ng_ubt(4)
ng_uni(4)
ng_vjc(4)
ng_vlan(4)
nge(4)
nmdm(4)
npx(4)
nsp(4)
null(4)
ohci(4)
oldcard(4)
oltr(4)
opie(4)
orm(4)
pae(4)
pass(4)
patm(4)
pccard(4)
pccbb(4)
pcf(4)
pci(4)
pcic(4)
pcm(4)
pcn(4)
pcvt(4)
perfmon(4)
pf(4)
pflog(4)
pfsync(4)
pim(4)
plip(4)
pnp(4)
pnpbios(4)
polling(4)
ppbus(4)
ppc(4)
ppi(4)
ppp(4)
psm(4)
pst(4)
pt(4)
pty(4)
puc(4)
random(4)
rawip(4)
ray(4)
rc(4)
re(4)
rl(4)
rndtest(4)
route(4)
rp(4)
rue(4)
sa(4)
sab(4)
safe(4)
sbni(4)
sbp(4)
sbp_targ(4)
sbsh(4)
sc(4)
scbus(4)
scd(4)
sched_4bsd(4)
sched_ule(4)
screen(4)
screensaver(4)
scsi(4)
sem(4)
ses(4)
sf(4)
si(4)
sio(4)
sis(4)
sk(4)
skey(4)
sl(4)
smapi(4)
smb(4)
smbus(4)
smp(4)
sn(4)
snc(4)
snd(4)
snd_ad1816(4)
snd_als4000(4)
snd_cmi(4)
snd_cs4281(4)
snd_csa(4)
snd_ds1(4)
snd_emu10k1(4)
snd_es137x(4)
snd_ess(4)
snd_fm801(4)
snd_gusc(4)
snd_ich(4)
snd_maestro(4)
snd_maestro3(4)
snd_neomagic(4)
snd_sbc(4)
snd_solo(4)
snd_uaudio(4)
snd_via8233(4)
snd_via82c686(4)
snd_vibes(4)
snp(4)
sound(4)
speaker(4)
spic(4)
spkr(4)
splash(4)
sppp(4)
sr(4)
stderr(4)
stdin(4)
stdout(4)
ste(4)
stf(4)
stg(4)
streams(4)
svr4(4)
sym(4)
syncache(4)
syncer(4)
syncookies(4)
syscons(4)
sysmouse(4)
tap(4)
targ(4)
tcp(4)
tdfx(4)
termios(4)
ti(4)
tl(4)
trm(4)
ttcp(4)
tty(4)
tun(4)
twa(4)
twe(4)
tx(4)
txp(4)
uart(4)
ubsa(4)
ubsec(4)
ubser(4)
ubtbcmfw(4)
ucom(4)
udav(4)
udbp(4)
udp(4)
ufm(4)
uftdi(4)
ugen(4)
uhci(4)
uhid(4)
uhidev(4)
ukbd(4)
ulpt(4)
umass(4)
umct(4)
umodem(4)
ums(4)
unix(4)
uplcom(4)
urio(4)
usb(4)
uscanner(4)
utopia(4)
uvisor(4)
uvscom(4)
vga(4)
vge(4)
viapm(4)
vinum(4)
vinumdebug(4)
vlan(4)
vn(4)
vpd(4)
vpo(4)
vr(4)
vt(4)
vx(4)
watchdog(4)
wb(4)
wd(4)
wdc(4)
wi(4)
witness(4)
wl(4)
wlan(4)
worm(4)
xe(4)
xl(4)
xpt(4)
zero(4)
mac(4)
NAME
mac -- Mandatory Access Control
SYNOPSIS
options MAC
DESCRIPTION
Introduction
The Mandatory Access Control, or MAC, framework allows administrators to
finely control system security by providing for a loadable security pol-
icy architecture. It is important to note that due to its nature, MAC
security policies may only restrict access relative to one another and
the base system policy; they cannot override traditional UNIX security
provisions such as file permissions and superuser checks.
Currently, the following MAC policy modules are shipped with FreeBSD:
Name Description Labeling Load time
mac_biba(4) Biba integrity policy yes boot only
mac_bsdextended(4) File system firewall no any time
mac_ifoff(4) Interface silencing no any time
mac_lomac(4) Low-Watermark MAC policy yes boot only
mac_mls(4) Confidentiality policy yes boot only
mac_none(4) Sample no-op policy no any time
mac_partition(4) Process partition policy yes any time
mac_portacl(4) Port bind(2) access control no any time
mac_seeotheruids(4) See-other-UIDs policy no any time
mac_test(4) MAC testing policy no any time
MAC Labels
Each system subject (processes, sockets, etc.) and each system object
(file system objects, sockets, etc.) can carry with it a MAC label. MAC
labels contain data in an arbitrary format taken into consideration in
making access control decisions for a given operation. Most MAC labels
on system subjects and objects can be modified directly or indirectly by
the system administrator. The format for a given policy's label may vary
depending on the type of object or subject being labeled. More informa-
tion on the format for MAC labels can be found in the maclabel(7) man
page.
MAC Support for UFS2 File Systems
By default, file system enforcement of labeled MAC policies relies on a
single file system label (see MAC Labels) in order to make access control
decisions for all the files in a particular file system. With some poli-
cies, this configuration may not allow administrators to take full advan-
tage of features. In order to enable support for labeling files on an
individual basis for a particular file system, the ``multilabel'' flag
must be enabled on the file system. To set the ``multilabel'' flag, drop
to single-user mode and unmount the file system, then execute the follow-
ing command:
tunefs -l enable filesystem
where filesystem is either the mount point (in fstab(5)) or the special
file (in /dev) corresponding to the file system on which to enable multi-
label support.
KLD
Loading, unloading, and retrieving statistics on loaded kernel modules
Network
Network interfaces, bpf(4), packet delivery and transmission, interface
configuration (ioctl(2), ifconfig(8))
Pipes
Creation of and operation on pipe(2) objects
Processes
Debugging (e.g. ktrace(2)), process visibility (ps(1)), process execution
(execve(2)), signalling (kill(2))
Sockets
Creation of and operation on socket(2) objects
System
Kernel environment (kenv(1)), system accounting (acct(2)), reboot(2),
settimeofday(2), swapon(2), sysctl(3), nfsd(8)-related operations
VM
mmap(2)-ed files
Setting MAC Labels
From the command line, each type of system object has its own means for
setting and modifying its MAC policy label.
Subject/Object Utility
File system object setfmac(8), setfsmac(8)
Network interface ifconfig(8)
TTY (by login class) login.conf(5)
User (by login class) login.conf(5)
Additionally, the su(1) and setpmac(8) utilities can be used to run a
command with a different process label than the shell's current label.
Programming With MAC
MAC security enforcement itself is transparent to application programs,
with the exception that some programs may need to be aware of additional
errno(2) returns from various system calls.
The interface for retrieving, handling, and setting policy labels is doc-
umented in the mac(3) man page.
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning the enforce-
ment of MAC policies. Unless specifically noted, all MIBs default to 1
(that is, all areas are enforced by default):
security.mac.enforce_fs Enforce MAC policies for file system
accesses.
security.mac.enforce_kld Enforce MAC policies on kld(4).
security.mac.enforce_network Enforce MAC policies on network interfaces.
security.mac.enforce_pipe Enforce MAC policies on pipes.
security.mac.enforce_vm Enforce MAC policies on mmap(2) and
mprotect(2).
SEE ALSO
mac(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4),
mac_mls(4), mac_none(4), mac_partition(4), mac_portacl(4),
mac_seeotheruids(4), mac_test(4), login.conf(5), maclabel(7), getfmac(8),
getpmac(8), setfmac(8), setpmac(8), mac(9)
"Mandatory Access Control", The FreeBSD Handbook,
http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html.
HISTORY
The mac implementation first appeared in FreeBSD 5.0 and was developed by
the TrustedBSD Project.
AUTHORS
This software was contributed to the FreeBSD Project by Network Asso-
ciates Labs, the Security Research Division of Network Associates Inc.
under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the
DARPA CHATS research program.
BUGS
See mac(9) concerning appropriateness for production use. The TrustedBSD
MAC Framework is considered experimental in FreeBSD.
While the MAC Framework design is intended to support the containment of
the root user, not all attack channels are currently protected by entry
point checks. As such, MAC Framework policies should not be relied on,
in isolation, to protect against a malicious privileged user.
FreeBSD 5.4 January 8, 2003 FreeBSD 5.4
SPONSORED LINKS
Man(1) output converted with man2html , sed , awk