xref: /freebsd/lib/libc/posix1e/mac.conf.5 (revision ca8d7823c60bee5e7f9ec15635199f9a3add9a93) 
1781a15a5SRobert Watson.\" Copyright (c) 2003 Networks Associates Technology, Inc.
2781a15a5SRobert Watson.\" All rights reserved.
3781a15a5SRobert Watson.\"
4781a15a5SRobert Watson.\" This software was developed for the FreeBSD Project in part by Network
5781a15a5SRobert Watson.\" Associates Laboratories, the Security Research Division of Network
6781a15a5SRobert Watson.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
7781a15a5SRobert Watson.\" as part of the DARPA CHATS research program.
8781a15a5SRobert Watson.\"
9781a15a5SRobert Watson.\" Redistribution and use in source and binary forms, with or without
10781a15a5SRobert Watson.\" modification, are permitted provided that the following conditions
11781a15a5SRobert Watson.\" are met:
12781a15a5SRobert Watson.\" 1. Redistributions of source code must retain the above copyright
13781a15a5SRobert Watson.\"    notice, this list of conditions and the following disclaimer.
14781a15a5SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright
15781a15a5SRobert Watson.\"    notice, this list of conditions and the following disclaimer in the
16781a15a5SRobert Watson.\"    documentation and/or other materials provided with the distribution.
17781a15a5SRobert Watson.\"
18781a15a5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
19781a15a5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20781a15a5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21781a15a5SRobert Watson.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
22781a15a5SRobert Watson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23781a15a5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24781a15a5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25781a15a5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26781a15a5SRobert Watson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27781a15a5SRobert Watson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28781a15a5SRobert Watson.\" SUCH DAMAGE.
29781a15a5SRobert Watson.\"
30781a15a5SRobert Watson.\" $FreeBSD$
31781a15a5SRobert Watson.\"
32781a15a5SRobert Watson.Dd April 19, 2003
33781a15a5SRobert Watson.Dt MAC.CONF 5
34781a15a5SRobert Watson.Os
35781a15a5SRobert Watson.Sh NAME
36781a15a5SRobert Watson.Nm mac.conf
37734ac3b5SRuslan Ermilov.Nd format of the MAC library configuration file
38781a15a5SRobert Watson.Sh DESCRIPTION
39781a15a5SRobert WatsonThe
40781a15a5SRobert Watson.Nm
41781a15a5SRobert Watsonfile configures the default label elements to be used by policy-agnostic
42781a15a5SRobert Watsonapplications that operate on MAC labels.
43734ac3b5SRuslan ErmilovA file contains a series of default label sets specified by object class,
44781a15a5SRobert Watsonin addition to blank lines and comments preceded by a
45734ac3b5SRuslan Ermilov.Ql #
46781a15a5SRobert Watsonsymbol.
47781a15a5SRobert Watson.Pp
48ca8d7823SChristian S.J. PeronCurrently, the implementation supports two syntax styles for label
49ca8d7823SChristian S.J. Peronelement declaration. The old (deprecated) syntax consists of a
50ca8d7823SChristian S.J. Peronsingle line with two fields separated by white space: the object
51ca8d7823SChristian S.J. Peronclass name, and a list of label elements as used by the
52781a15a5SRobert Watson.Xr mac_prepare 3
53781a15a5SRobert Watsonlibrary calls prior to an application invocation of a function from
54781a15a5SRobert Watson.Xr mac_get 3 .
55ca8d7823SChristian S.J. Peron.Pp
56ca8d7823SChristian S.J. PeronThe newer more preferred syntax consists of three fields separated by
57ca8d7823SChristian S.J. Peronwhite space: the label group, object class name and a list of
58ca8d7823SChristian S.J. Peronlabel elements.
59ca8d7823SChristian S.J. Peron.Pp
60781a15a5SRobert WatsonLabel element names may optionally begin with a
61734ac3b5SRuslan Ermilov.Ql \&?
62781a15a5SRobert Watsonsymbol to indicate that a failure to retrieve the label element for
63781a15a5SRobert Watsonan object should be silently ignored, and improves usability if the
64781a15a5SRobert Watsonset of MAC policies may change over time.
65781a15a5SRobert Watson.Sh EXAMPLES
66781a15a5SRobert WatsonThe following example configures user applications to operate with
67781a15a5SRobert Watsonfour MAC policies:
68781a15a5SRobert Watson.Xr mac_biba 4 ,
69781a15a5SRobert Watson.Xr mac_mls 4 ,
70781a15a5SRobert WatsonSEBSD,
71781a15a5SRobert Watsonand
72781a15a5SRobert Watson.Xr mac_partition 4 .
73781a15a5SRobert Watson.Bd -literal -offset indent
74781a15a5SRobert Watson#
75781a15a5SRobert Watson# Default label set to be used by simple MAC applications
76ca8d7823SChristian S.J. Peron
77ca8d7823SChristian S.J. Perondefault_labels file ?biba,?lomac,?mls,?sebsd
78ca8d7823SChristian S.J. Perondefault_labels ifnet ?biba,?lomac,?mls,?sebsd
79ca8d7823SChristian S.J. Perondefault_labels process ?biba,?lomac,?mls,?partition,?sebsd
80ca8d7823SChristian S.J. Perondefault_labels socket ?biba,?lomac,?mls
81ca8d7823SChristian S.J. Peron
82781a15a5SRobert Watson#
83ca8d7823SChristian S.J. Peron# Deprecated (old) syntax
84781a15a5SRobert Watson
85781a15a5SRobert Watsondefault_file_labels ?biba,?mls,?sebsd
86781a15a5SRobert Watsondefault_ifnet_labels ?biba,?mls,?sebsd
87781a15a5SRobert Watsondefault_process_labels ?biba,?mls,partition,?sebsd
88781a15a5SRobert Watson.Ed
892715ba48SRobert Watson.Pp
90781a15a5SRobert WatsonIn this example, userland applications will attempt to retrieve Biba,
91781a15a5SRobert WatsonMLS, and SEBSD labels for all object classes; for processes, they will
92781a15a5SRobert Watsonadditionally attempt to retrieve a Partition identifier.
93781a15a5SRobert WatsonIn all cases except the Partition identifier, failure to retrieve a
94781a15a5SRobert Watsonlabel due to the respective policy not being present will be ignored.
958aa884cbSRobert Watson.Sh FILES
968aa884cbSRobert Watson.Bl -tag -width ".Pa /etc/mac.conf" -compact
978aa884cbSRobert Watson.It Pa /etc/mac.conf
988aa884cbSRobert WatsonMAC library configuration file.
998aa884cbSRobert Watson.El
100781a15a5SRobert Watson.Sh SEE ALSO
101734ac3b5SRuslan Ermilov.Xr mac 3 ,
102781a15a5SRobert Watson.Xr mac_get 3 ,
103781a15a5SRobert Watson.Xr mac_prepare 3 ,
104781a15a5SRobert Watson.Xr mac 4 ,
105781a15a5SRobert Watson.Xr mac 9
106781a15a5SRobert Watson.Sh HISTORY
107781a15a5SRobert WatsonSupport for Mandatory Access Control was introduced in
108781a15a5SRobert Watson.Fx 5.0
109781a15a5SRobert Watsonas part of the
110781a15a5SRobert Watson.Tn TrustedBSD
111781a15a5SRobert WatsonProject.
112781a15a5SRobert Watson.Sh BUGS
113781a15a5SRobert WatsonThe
114781a15a5SRobert Watson.Tn TrustedBSD
115781a15a5SRobert WatsonMAC Framework and associated policies, interfaces, and
116781a15a5SRobert Watsonapplications are considered to be an experimental feature in
117781a15a5SRobert Watson.Fx .
118781a15a5SRobert WatsonSites considering production deployment should keep the experimental
119781a15a5SRobert Watsonstatus of these services in mind during any deployment process.
120781a15a5SRobert WatsonSee also
121781a15a5SRobert Watson.Xr mac 9
122781a15a5SRobert Watsonfor related considerations regarding the kernel framework.
123