1.\" Copyright (c) 2003 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Labs, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.Dd JANUARY 8, 2003 33.Os 34.Dt MAC 4 35.Sh NAME 36.Nm mac 37.Nd Mandatory Access Control 38.Sh SYNOPSIS 39.Cd "options MAC" 40.Sh DESCRIPTION 41.Ss Introduction 42The Mandatory Access Control, or MAC, framework allows administrators to 43finely control system security by providing for a loadable security policy 44architecture. 45It is important to note that due to its nature, MAC security policies may 46only further restrict security; they cannot override traditional UNIX 47security provisions such as file permissions and superuser checks. 48.Pp 49Currently, the following MAC policy modules are shipped with 50.Fx : 51.Bl -column ".Xr mac_seeotheruids 4" "low-watermark mac policy" ".Em Labeling" "boot only" 52.It Em Name Ta Em Description Ta Em Labeling Ta Em "Load time" 53.It Xr mac_biba 4 Ta "Biba integrity policy" Ta yes Ta boot only 54.It Xr mac_bsdextended 4 Ta "File system firewall" Ta no Ta any time 55.It Xr mac_ifoff 4 Ta "Interface silencing" Ta no Ta any time 56.It Xr mac_lomac 4 Ta "Low-Watermark MAC policy" Ta yes Ta boot only 57.It Xr mac_mls 4 Ta "Confidentiality policy" Ta yes Ta boot only 58.It Xr mac_none 4 Ta "Sample no-op policy" Ta no Ta any time 59.It Xr mac_partition 4 Ta "Process partition policy" Ta yes Ta any time 60.It Xr mac_seeotheruids 4 Ta "See-other-UIDs policy" Ta no Ta any time 61.It Xr mac_test 4 Ta "MAC testing policy" Ta no Ta any time 62.El 63.Ss MAC Labels 64Each system subject (processes, sockets, etc.) and each system object 65(file system objects, sockets, etc.) can carry with it a MAC label. 66MAC labels can contain data in an arbitrary format 67used by the MAC policies in order to help determine how to determine 68access rights for a given operation. 69Most MAC labels on system subjects and objects 70can be modified directly or indirectly by the system 71administrator. 72More information on the format for MAC labels can be found in the 73.Xr maclabel 7 74man page. 75.Ss Setting MAC labels 76From the command line, each type of system object has its own means for setting 77and modifying its MAC policy label. 78.Bl -column "user login process" "Xr login.conf 5" -offset indent 79.It Em "Subject/Object" Ta Em "Utility" 80.It "File system object" Ta Xr setfmac 8 81.It "Network interface" Ta Xr ifconfig 8 82.It "TTY (by login class)" Ta Xr login.conf 5 83.It "User (by login class)" Ta Xr login.conf 5 84.El 85.Pp 86Additionally, the 87.Xr setpmac 8 88command can be used to run a command with a different process label than 89the shell's current label. 90.Ss Programming With MAC 91MAC security enforcement itself is transparent to application 92programs, with the exception that some programs may need to be aware of 93additional 94.Xr errno 2 95returns from various system calls. 96.Pp 97The interface for retrieving, handling, and setting policy labels 98is documented in the 99.Xr mac 3 100man page. 101.Sh SEE ALSO 102.Xr mac 3 , 103.Xr mac_biba 4 , 104.Xr mac_bsdextended 4 , 105.Xr mac_ifoff 4 , 106.Xr mac_lomac 4 , 107.Xr mac_mls 4 , 108.Xr mac_none 4 , 109.Xr mac_partition 4 , 110.Xr mac_seeotheruids 4 , 111.Xr mac_test 4 , 112.Xr login.5 , 113.Xr maclabel 7 , 114.Xr getfmac 8 , 115.Xr setfmac 8 , 116.Xr getpmac 8 , 117.Xr setpmac 8 , 118.Xr mac 9 119.Rs 120.%B "The FreeBSD Handbook" 121.%T "Mandatory Access Control" 122.%O http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html 123.Re 124.Sh HISTORY 125The 126.Nm 127implementation first appeared in 128.Fx 5.0 129and was developed by the TrustedBSD Project. 130.Sh AUTHORS 131This software was contributed to the 132.Fx 133Project by Network Associates Labs, 134the Security Research Division of Network Associates 135Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 136as part of the DARPA CHATS research program. 137