The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

mac (4)
  • mac (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )
  • mac (3) ( FreeBSD man: Библиотечные вызовы )
  • >> mac (4) ( FreeBSD man: Специальные файлы /dev/* )
  • mac (9) ( FreeBSD man: Ядро )
  • Ключ mac обнаружен в базе ключевых слов.

  • BSD mandoc
     

    NAME

    mac
    
     - Mandatory Access Control
    
     
    

    SYNOPSIS

    options MAC  

    DESCRIPTION

     

    Introduction

    The Mandatory Access Control, or MAC, framework allows administrators to finely control system security by providing for a loadable security policy architecture. It is important to note that due to its nature, MAC security policies may only restrict access relative to one another and the base system policy; they cannot override traditional UNIX security provisions such as file permissions and superuser checks.

    Currently, the following MAC policy modules are shipped with Fx :

    Name Ta Description Ta Labeling Ta Load time
    mac_biba4TaBibaintegritypolicyTayesTabootonly
    mac_bsdextended4TaFilesystemfirewallTanoTaanytime
    mac_ifoff4TaInterfacesilencingTanoTaanytime
    mac_lomac4TaLow-WatermarkMACpolicyTayesTabootonly
    mac_mls4TaConfidentialitypolicyTayesTabootonly
    mac_none4TaSampleno-oppolicyTanoTaanytime
    mac_partition4TaProcesspartitionpolicyTayesTaanytime
    mac_portacl4TaPortbind(2)accesscontrolTanoTaanytime
    mac_seeotheruids4TaSee-other-UIDspolicyTanoTaanytime
    mac_test4TaMACtestingpolicyTanoTaanytime

     

    MAC Labels

    Each system subject (processes, sockets, etc.) and each system object (file system objects, sockets, etc.) can carry with it a MAC label. MAC labels contain data in an arbitrary format taken into consideration in making access control decisions for a given operation. Most MAC labels on system subjects and objects can be modified directly or indirectly by the system administrator. The format for a given policy's label may vary depending on the type of object or subject being labeled. More information on the format for MAC labels can be found in the maclabel(7) man page.  

    MAC Support for UFS2 File Systems

    By default, file system enforcement of labeled MAC policies relies on a single file system label (see Sx MAC Labels ) in order to make access control decisions for all the files in a particular file system. With some policies, this configuration may not allow administrators to take full advantage of features. In order to enable support for labeling files on an individual basis for a particular file system, the ``multilabel'' flag must be enabled on the file system. To set the ``multilabel'' flag, drop to single-user mode and unmount the file system, then execute the following command:

    "tunefs -l enable" filesystem

    where filesystem is either the mount point (in fstab(5)) or the special file (in /dev corresponding to the file system on which to enable multilabel support.  

    Policy Enforcement

    Policy enforcement is divided into the following areas of the system:

    File System
    File system mounts, modifying directories, modifying files, etc.
    KLD
    Loading, unloading, and retrieving statistics on loaded kernel modules
    Network
    Network interfaces, bpf(4), packet delivery and transmission, interface configuration (ioctl2, ifconfig(8))
    Pipes
    Creation of and operation on pipe(2) objects
    Processes
    Debugging (e.g. ktrace(2)), process visibility (ps(1) ) process execution (execve(2) ) signalling (kill(2) )
    Sockets
    Creation of and operation on socket(2) objects
    System
    Kernel environment (kenv(1) ) system accounting (acct(2) ) reboot(2), settimeofday(2), swapon(2), sysctl(3), nfsd(8) -related operations
    VM
    mmap(2) -ed files

     

    Setting MAC Labels

    From the command line, each type of system object has its own means for setting and modifying its MAC policy label.

    Subject/Object Ta Utility
    "File system object" Ta setfmac(8),Xrsetfsmac8
    "Network interface" Ta ifconfig(8)
    "TTY (by login class)" Ta login.conf5
    "User (by login class)" Ta login.conf5

    Additionally, the su(1) and setpmac(8) utilities can be used to run a command with a different process label than the shell's current label.  

    Programming With MAC

    MAC security enforcement itself is transparent to application programs, with the exception that some programs may need to be aware of additional errno(2) returns from various system calls.

    The interface for retrieving, handling, and setting policy labels is documented in the mac(3) man page.

     

    SEE ALSO

    mac(3), mac_biba4, mac_bsdextended4, mac_ifoff4, mac_lomac4, mac_mls4, mac_none4, mac_partition4, mac_portacl4, mac_seeotheruids4, mac_test4, login.conf5, maclabel(7), getfmac(8), getpmac(8), setfmac(8), setpmac(8), mac(9)
    "The FreeBSD Handbook" "Mandatory Access Control" http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
     

    HISTORY

    The implementation first appeared in Fx 5.0 and was developed by the TrustedBSD Project.  

    AUTHORS

    This software was contributed to the Fx Project by Network Associates Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS'' ) as part of the DARPA CHATS research program.  

    BUGS

    See mac(9) concerning appropriateness for production use. The TrustedBSD MAC Framework is considered experimental in Fx .

    While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by entry point checks. As such, MAC Framework policies should not be relied on, in isolation, to protect against a malicious privileged user.


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    Introduction
    MAC Labels
    MAC Support for UFS2 File Systems
    Policy Enforcement
    Setting MAC Labels
    Programming With MAC
    SEE ALSO
    HISTORY
    AUTHORS
    BUGS


    Поиск по тексту MAN-ов: 




    Спонсоры:
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2021 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру