1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project in part by Network 5.\" Associates Laboratories, the Security Research Division of Network 6.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 7.\" as part of the DARPA CHATS research program. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" $FreeBSD$ 31.\" 32.Dd April 19, 2003 33.Dt MAC.CONF 5 34.Os 35.Sh NAME 36.Nm mac.conf 37.Nd format of the MAC library configuration file 38.Sh DESCRIPTION 39The 40.Nm 41file configures the default label elements to be used by policy-agnostic 42applications that operate on MAC labels. 43A file contains a series of default label sets specified by object class, 44in addition to blank lines and comments preceded by a 45.Ql # 46symbol. 47.Pp 48Currently, the implementation supports two syntax styles for label 49element declaration. 50The old (deprecated) syntax consists of a 51single line with two fields separated by white space: the object 52class name, and a list of label elements as used by the 53.Xr mac_prepare 3 54library calls prior to an application invocation of a function from 55.Xr mac_get 3 . 56.Pp 57The newer more preferred syntax consists of three fields separated by 58white space: the label group, object class name and a list of 59label elements. 60.Pp 61Label element names may optionally begin with a 62.Ql \&? 63symbol to indicate that a failure to retrieve the label element for 64an object should be silently ignored, and improves usability if the 65set of MAC policies may change over time. 66.Sh FILES 67.Bl -tag -width ".Pa /etc/mac.conf" -compact 68.It Pa /etc/mac.conf 69MAC library configuration file. 70.El 71.Sh EXAMPLES 72The following example configures user applications to operate with 73four MAC policies: 74.Xr mac_biba 4 , 75.Xr mac_mls 4 , 76SEBSD, 77and 78.Xr mac_partition 4 . 79.Bd -literal -offset indent 80# 81# Default label set to be used by simple MAC applications 82 83default_labels file ?biba,?lomac,?mls,?sebsd 84default_labels ifnet ?biba,?lomac,?mls,?sebsd 85default_labels process ?biba,?lomac,?mls,?partition,?sebsd 86default_labels socket ?biba,?lomac,?mls 87 88# 89# Deprecated (old) syntax 90 91default_file_labels ?biba,?mls,?sebsd 92default_ifnet_labels ?biba,?mls,?sebsd 93default_process_labels ?biba,?mls,partition,?sebsd 94.Ed 95.Pp 96In this example, userland applications will attempt to retrieve Biba, 97MLS, and SEBSD labels for all object classes; for processes, they will 98additionally attempt to retrieve a Partition identifier. 99In all cases except the Partition identifier, failure to retrieve a 100label due to the respective policy not being present will be ignored. 101.Sh SEE ALSO 102.Xr mac 3 , 103.Xr mac_get 3 , 104.Xr mac_prepare 3 , 105.Xr mac 4 , 106.Xr mac 9 107.Sh HISTORY 108Support for Mandatory Access Control was introduced in 109.Fx 5.0 110as part of the 111.Tn TrustedBSD 112Project. 113.Sh BUGS 114The 115.Tn TrustedBSD 116MAC Framework and associated policies, interfaces, and 117applications are considered to be an experimental feature in 118.Fx . 119Sites considering production deployment should keep the experimental 120status of these services in mind during any deployment process. 121See also 122.Xr mac 9 123for related considerations regarding the kernel framework. 124