IPnom Home • Manuals • FreeBSD

 FreeBSD Man Pages

Man Sections:Commands (1)System Calls (2)Library Functions (3)Device Drivers (4)File Formats (5)Miscellaneous (7)System Utilities (8)
Keyword Live Search (10 results max):
 Type in part of a command in the search box.
 
Index:
  CPU_ELAN(4)
  CPU_SOEKRIS(4)
  aac(4)
  acd(4)
  acpi(4)
  acpi_asus(4)
  acpi_panasonic(4)
  acpi_thermal(4)
  acpi_toshiba(4)
  acpi_video(4)
  ad(4)
  adv(4)
  adw(4)
  afd(4)
  agp(4)
  agpgart(4)
  aha(4)
  ahb(4)
  ahc(4)
  ahd(4)
  aic(4)
  aio(4)
  alpm(4)
  altq(4)
  amd(4)
  amdpm(4)
  amr(4)
  an(4)
  apm(4)
  ar(4)
  arcmsr(4)
  arl(4)
  arp(4)
  asr(4)
  ast(4)
  ata(4)
  atapicam(4)
  ath(4)
  ath_hal(4)
  atkbd(4)
  atkbdc(4)
  aue(4)
  awi(4)
  axe(4)
  bfe(4)
  bge(4)
  bktr(4)
  blackhole(4)
  bpf(4)
  bridge(4)
  brooktree(4)
  bt(4)
  cam(4)
  card(4)
  cardbus(4)
  carp(4)
  cbb(4)
  ccd(4)
  cd(4)
  cdce(4)
  ch(4)
  ciss(4)
  cm(4)
  cnw(4)
  cp(4)
  cpufreq(4)
  crypto(4)
  cryptodev(4)
  cs(4)
  ct(4)
  ctau(4)
  cue(4)
  cx(4)
  cy(4)
  da(4)
  dc(4)
  dcons(4)
  dcons_crom(4)
  ddb(4)
  de(4)
  devctl(4)
  digi(4)
  disc(4)
  divert(4)
  dpt(4)
  dummynet(4)
  ed(4)
  ef(4)
  ehci(4)
  el(4)
  em(4)
  en(4)
  ep(4)
  esp(4)
  ex(4)
  exca(4)
  faith(4)
  fast_ipsec(4)
  fatm(4)
  fd(4)
  fdc(4)
  fe(4)
  fea(4)
  firewire(4)
  fla(4)
  fpa(4)
  fwe(4)
  fwip(4)
  fwohci(4)
  fxp(4)
  gbde(4)
  gdb(4)
  gem(4)
  geom(4)
  gif(4)
  gre(4)
  gx(4)
  harp(4)
  hatm(4)
  hfa(4)
  hifn(4)
  hme(4)
  hptmv(4)
  i4b(4)
  i4bcapi(4)
  i4bctl(4)
  i4bing(4)
  i4bipr(4)
  i4bisppp(4)
  i4bq921(4)
  i4bq931(4)
  i4brbch(4)
  i4btel(4)
  i4btrc(4)
  iavc(4)
  ichsmb(4)
  ichwd(4)
  icmp(4)
  icmp6(4)
  ida(4)
  idt(4)
  ie(4)
  ieee80211(4)
  if_an(4)
  if_aue(4)
  if_awi(4)
  if_axe(4)
  if_bfe(4)
  if_bge(4)
  if_cue(4)
  if_dc(4)
  if_de(4)
  if_disc(4)
  if_ed(4)
  if_ef(4)
  if_em(4)
  if_en(4)
  if_faith(4)
  if_fatm(4)
  if_fwe(4)
  if_fwip(4)
  if_fxp(4)
  if_gem(4)
  if_gif(4)
  if_gre(4)
  if_gx(4)
  if_hatm(4)
  if_hme(4)
  if_idt(4)
  if_kue(4)
  if_lge(4)
  if_my(4)
  if_ndis(4)
  if_nge(4)
  if_oltr(4)
  if_patm(4)
  if_pcn(4)
  if_ppp(4)
  if_re(4)
  if_rl(4)
  if_rue(4)
  if_sbni(4)
  if_sbsh(4)
  if_sf(4)
  if_sis(4)
  if_sk(4)
  if_sl(4)
  if_sn(4)
  if_ste(4)
  if_stf(4)
  if_tap(4)
  if_ti(4)
  if_tl(4)
  if_tun(4)
  if_tx(4)
  if_txp(4)
  if_udav(4)
  if_vge(4)
  if_vlan(4)
  if_vr(4)
  if_wb(4)
  if_wi(4)
  if_xe(4)
  if_xl(4)
  ifmib(4)
  ifpi(4)
  ifpi2(4)
  ifpnp(4)
  ihfc(4)
  iic(4)
  iicbb(4)
  iicbus(4)
  iicsmb(4)
  iir(4)
  imm(4)
  inet(4)
  inet6(4)
  intpm(4)
  intro(4)
  io(4)
  ip(4)
  ip6(4)
  ipaccounting(4)
  ipacct(4)
  ipf(4)
  ipfirewall(4)
  ipfw(4)
  ipl(4)
  ipnat(4)
  ips(4)
  ipsec(4)
  isic(4)
  isp(4)
  ispfw(4)
  itjc(4)
  iwic(4)
  ixgb(4)
  joy(4)
  kame(4)
  keyboard(4)
  kld(4)
  kmem(4)
  ktr(4)
  kue(4)
  led(4)
  lge(4)
  linux(4)
  lnc(4)
  lo(4)
  longrun(4)
  loop(4)
  lp(4)
  lpbb(4)
  lpt(4)
  mac(4)
  mac_biba(4)
  mac_bsdextended(4)
  mac_ifoff(4)
  mac_lomac(4)
  mac_mls(4)
  mac_none(4)
  mac_partition(4)
  mac_portacl(4)
  mac_seeotheruids(4)
  mac_stub(4)
  mac_test(4)
  mcd(4)
  md(4)
  mem(4)
  meteor(4)
  miibus(4)
  mlx(4)
  mly(4)
  mouse(4)
  mpt(4)
  mse(4)
  mtio(4)
  multicast(4)
  my(4)
  natm(4)
  natmip(4)
  ncr(4)
  ncv(4)
  ndis(4)
  net(4)
  netgraph(4)
  netintro(4)
  networking(4)
  ng_UI(4)
  ng_async(4)
  ng_atm(4)
  ng_atmllc(4)
  ng_atmpif(4)
  ng_bluetooth(4)
  ng_bpf(4)
  ng_bridge(4)
  ng_bt3c(4)
  ng_btsocket(4)
  ng_ccatm(4)
  ng_cisco(4)
  ng_device(4)
  ng_echo(4)
  ng_eiface(4)
  ng_etf(4)
  ng_ether(4)
  ng_fec(4)
  ng_frame_relay(4)
  ng_gif(4)
  ng_gif_demux(4)
  ng_h4(4)
  ng_hci(4)
  ng_hole(4)
  ng_hub(4)
  ng_iface(4)
  ng_ip_input(4)
  ng_ksocket(4)
  ng_l2cap(4)
  ng_l2tp(4)
  ng_lmi(4)
  ng_mppc(4)
  ng_netflow(4)
  ng_one2many(4)
  ng_ppp(4)
  ng_pppoe(4)
  ng_pptpgre(4)
  ng_rfc1490(4)
  ng_socket(4)
  ng_split(4)
  ng_sppp(4)
  ng_sscfu(4)
  ng_sscop(4)
  ng_tee(4)
  ng_tty(4)
  ng_ubt(4)
  ng_uni(4)
  ng_vjc(4)
  ng_vlan(4)
  nge(4)
  nmdm(4)
  npx(4)
  nsp(4)
  null(4)
  ohci(4)
  oldcard(4)
  oltr(4)
  opie(4)
  orm(4)
  pae(4)
  pass(4)
  patm(4)
  pccard(4)
  pccbb(4)
  pcf(4)
  pci(4)
  pcic(4)
  pcm(4)
  pcn(4)
  pcvt(4)
  perfmon(4)
  pf(4)
  pflog(4)
  pfsync(4)
  pim(4)
  plip(4)
  pnp(4)
  pnpbios(4)
  polling(4)
  ppbus(4)
  ppc(4)
  ppi(4)
  ppp(4)
  psm(4)
  pst(4)
  pt(4)
  pty(4)
  puc(4)
  random(4)
  rawip(4)
  ray(4)
  rc(4)
  re(4)
  rl(4)
  rndtest(4)
  route(4)
  rp(4)
  rue(4)
  sa(4)
  sab(4)
  safe(4)
  sbni(4)
  sbp(4)
  sbp_targ(4)
  sbsh(4)
  sc(4)
  scbus(4)
  scd(4)
  sched_4bsd(4)
  sched_ule(4)
  screen(4)
  screensaver(4)
  scsi(4)
  sem(4)
  ses(4)
  sf(4)
  si(4)
  sio(4)
  sis(4)
  sk(4)
  skey(4)
  sl(4)
  smapi(4)
  smb(4)
  smbus(4)
  smp(4)
  sn(4)
  snc(4)
  snd(4)
  snd_ad1816(4)
  snd_als4000(4)
  snd_cmi(4)
  snd_cs4281(4)
  snd_csa(4)
  snd_ds1(4)
  snd_emu10k1(4)
  snd_es137x(4)
  snd_ess(4)
  snd_fm801(4)
  snd_gusc(4)
  snd_ich(4)
  snd_maestro(4)
  snd_maestro3(4)
  snd_neomagic(4)
  snd_sbc(4)
  snd_solo(4)
  snd_uaudio(4)
  snd_via8233(4)
  snd_via82c686(4)
  snd_vibes(4)
  snp(4)
  sound(4)
  speaker(4)
  spic(4)
  spkr(4)
  splash(4)
  sppp(4)
  sr(4)
  stderr(4)
  stdin(4)
  stdout(4)
  ste(4)
  stf(4)
  stg(4)
  streams(4)
  svr4(4)
  sym(4)
  syncache(4)
  syncer(4)
  syncookies(4)
  syscons(4)
  sysmouse(4)
  tap(4)
  targ(4)
  tcp(4)
  tdfx(4)
  termios(4)
  ti(4)
  tl(4)
  trm(4)
  ttcp(4)
  tty(4)
  tun(4)
  twa(4)
  twe(4)
  tx(4)
  txp(4)
  uart(4)
  ubsa(4)
  ubsec(4)
  ubser(4)
  ubtbcmfw(4)
  ucom(4)
  udav(4)
  udbp(4)
  udp(4)
  ufm(4)
  uftdi(4)
  ugen(4)
  uhci(4)
  uhid(4)
  uhidev(4)
  ukbd(4)
  ulpt(4)
  umass(4)
  umct(4)
  umodem(4)
  ums(4)
  unix(4)
  uplcom(4)
  urio(4)
  usb(4)
  uscanner(4)
  utopia(4)
  uvisor(4)
  uvscom(4)
  vga(4)
  vge(4)
  viapm(4)
  vinum(4)
  vinumdebug(4)
  vlan(4)
  vn(4)
  vpd(4)
  vpo(4)
  vr(4)
  vt(4)
  vx(4)
  watchdog(4)
  wb(4)
  wd(4)
  wdc(4)
  wi(4)
  witness(4)
  wl(4)
  wlan(4)
  worm(4)
  xe(4)
  xl(4)
  xpt(4)
  zero(4)

mac(4)

NAME

     mac -- Mandatory Access Control


SYNOPSIS

     options MAC


DESCRIPTION

   Introduction
     The Mandatory Access Control, or MAC, framework allows administrators to
     finely control system security by providing for a loadable security pol-
     icy architecture.	It is important to note that due to its nature, MAC
     security policies may only restrict access relative to one another and
     the base system policy; they cannot override traditional UNIX security
     provisions such as file permissions and superuser checks.

     Currently, the following MAC policy modules are shipped with FreeBSD:

     Name		    Description 		Labeling    Load time
     mac_biba(4)	    Biba integrity policy	yes	    boot only
     mac_bsdextended(4)     File system firewall	no	    any time
     mac_ifoff(4)	    Interface silencing 	no	    any time
     mac_lomac(4)	    Low-Watermark MAC policy	yes	    boot only
     mac_mls(4) 	    Confidentiality policy	yes	    boot only
     mac_none(4)	    Sample no-op policy 	no	    any time
     mac_partition(4)	    Process partition policy	yes	    any time
     mac_portacl(4)	    Port bind(2) access control no	    any time
     mac_seeotheruids(4)    See-other-UIDs policy	no	    any time
     mac_test(4)	    MAC testing policy		no	    any time

   MAC Labels
     Each system subject (processes, sockets, etc.) and each system object
     (file system objects, sockets, etc.) can carry with it a MAC label.  MAC
     labels contain data in an arbitrary format taken into consideration in
     making access control decisions for a given operation.  Most MAC labels
     on system subjects and objects can be modified directly or indirectly by
     the system administrator.	The format for a given policy's label may vary
     depending on the type of object or subject being labeled.	More informa-
     tion on the format for MAC labels can be found in the maclabel(7) man
     page.

   MAC Support for UFS2 File Systems
     By default, file system enforcement of labeled MAC policies relies on a
     single file system label (see MAC Labels) in order to make access control
     decisions for all the files in a particular file system.  With some poli-
     cies, this configuration may not allow administrators to take full advan-
     tage of features.	In order to enable support for labeling files on an
     individual basis for a particular file system, the ``multilabel'' flag
     must be enabled on the file system.  To set the ``multilabel'' flag, drop
     to single-user mode and unmount the file system, then execute the follow-
     ing command:

	   tunefs -l enable filesystem

     where filesystem is either the mount point (in fstab(5)) or the special
     file (in /dev) corresponding to the file system on which to enable multi-
     label support.

     KLD
     Loading, unloading, and retrieving statistics on loaded kernel modules

     Network
     Network interfaces, bpf(4), packet delivery and transmission, interface
     configuration (ioctl(2), ifconfig(8))

     Pipes
     Creation of and operation on pipe(2) objects

     Processes
     Debugging (e.g. ktrace(2)), process visibility (ps(1)), process execution
     (execve(2)), signalling (kill(2))

     Sockets
     Creation of and operation on socket(2) objects

     System
     Kernel environment (kenv(1)), system accounting (acct(2)), reboot(2),
     settimeofday(2), swapon(2), sysctl(3), nfsd(8)-related operations

     VM
     mmap(2)-ed files

   Setting MAC Labels
     From the command line, each type of system object has its own means for
     setting and modifying its MAC policy label.

	   Subject/Object	    Utility
	   File system object	    setfmac(8), setfsmac(8)
	   Network interface	    ifconfig(8)
	   TTY (by login class)     login.conf(5)
	   User (by login class)    login.conf(5)

     Additionally, the su(1) and setpmac(8) utilities can be used to run a
     command with a different process label than the shell's current label.

   Programming With MAC
     MAC security enforcement itself is transparent to application programs,
     with the exception that some programs may need to be aware of additional
     errno(2) returns from various system calls.

     The interface for retrieving, handling, and setting policy labels is doc-
     umented in the mac(3) man page.

   Runtime Configuration
     The following sysctl(8) MIBs are available for fine-tuning the enforce-
     ment of MAC policies.  Unless specifically noted, all MIBs default to 1
     (that is, all areas are enforced by default):

     security.mac.enforce_fs	   Enforce MAC policies for file system
				   accesses.

     security.mac.enforce_kld	   Enforce MAC policies on kld(4).

     security.mac.enforce_network  Enforce MAC policies on network interfaces.

     security.mac.enforce_pipe	   Enforce MAC policies on pipes.

     security.mac.enforce_vm	   Enforce MAC policies on mmap(2) and
				   mprotect(2).


SEE ALSO

     mac(3), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4),
     mac_mls(4), mac_none(4), mac_partition(4), mac_portacl(4),
     mac_seeotheruids(4), mac_test(4), login.conf(5), maclabel(7), getfmac(8),
     getpmac(8), setfmac(8), setpmac(8), mac(9)

     "Mandatory Access Control", The FreeBSD Handbook,
     http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html.


HISTORY

     The mac implementation first appeared in FreeBSD 5.0 and was developed by
     the TrustedBSD Project.


AUTHORS

     This software was contributed to the FreeBSD Project by Network Asso-
     ciates Labs, the Security Research Division of Network Associates Inc.
     under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the
     DARPA CHATS research program.


BUGS

     See mac(9) concerning appropriateness for production use.	The TrustedBSD
     MAC Framework is considered experimental in FreeBSD.

     While the MAC Framework design is intended to support the containment of
     the root user, not all attack channels are currently protected by entry
     point checks.  As such, MAC Framework policies should not be relied on,
     in isolation, to protect against a malicious privileged user.

FreeBSD 5.4			January 8, 2003 		   FreeBSD 5.4

SPONSORED LINKS




Man(1) output converted with man2html , sed , awk