| mac.4 (b9e873d4a03fcd8a3b4fb3b675f6ce8ba9628d57) | mac.4 (d29d42d83d6fa3aa27bb3879ce48c0397081268b) |
|---|---|
| 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 46 unchanged lines hidden (view full) --- 55.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 56.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 57.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 58.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 59.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 60.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 61.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 62.El | 1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 46 unchanged lines hidden (view full) --- 55.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 56.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 57.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 58.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 59.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 60.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 61.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 62.El |
| 63.Ss MAC Support for UFS2 File Systems 64By default, file system enforcement of MAC policies relies on a single file 65system label 66(see 67.Sx "MAC Labels" ) 68in order to make access control decisions for all the files in a particular 69file system. 70On most systems, this is not the most desirable configuration. 71In order to enable support for labeling files on an individual basis, 72the 73.Dq multilabel 74flag must be enabled on the file system. 75To set the 76.Dq multilabel 77flag, drop to single-user mode and unmount the file system, 78then execute the following command: 79.Pp 80.Dl "tunefs -l enable" Sy filesystem 81.Pp 82where 83.Sy filesystem 84is either the mount point 85(in 86.Xr fstab 5 ) 87or the special file 88(in 89.Pa /dev ) 90corresponding to the file system on which to enable multilabel support. |
|
| 63.Ss MAC Labels 64Each system subject (processes, sockets, etc.) and each system object 65(file system objects, sockets, etc.) can carry with it a MAC label. 66MAC labels can contain data in an arbitrary format 67used by the MAC policies in order to help determine how to determine 68access rights for a given operation. 69Most MAC labels on system subjects and objects 70can be modified directly or indirectly by the system --- 166 unchanged lines hidden --- | 91.Ss MAC Labels 92Each system subject (processes, sockets, etc.) and each system object 93(file system objects, sockets, etc.) can carry with it a MAC label. 94MAC labels can contain data in an arbitrary format 95used by the MAC policies in order to help determine how to determine 96access rights for a given operation. 97Most MAC labels on system subjects and objects 98can be modified directly or indirectly by the system --- 166 unchanged lines hidden --- |