• Start
• Documentation
  • PostgreSQL
  • mnoGoSearch
  • Apache 2.4
  • FreeBSD handbook
  • FreeBSD Manual
  • FreeBSD Source
• Tools
• Search
• Protected Area

plain

FreeBSD manual

keyword 1 2 3 4 5 6 7 8 9 n l

download PDF document: mac.conf.5.pdf

MAC.CONF(5) FreeBSD File Formats Manual MAC.CONF(5)
NAME mac.conf - format of the MAC library configuration file
DESCRIPTION The mac.conf file configures the default label elements to be used by policy-agnostic applications that operate on MAC labels. A file contains a series of default label sets specified by object class, in addition to blank lines and comments preceded by a `#' symbol.
Currently, the implementation supports two syntax styles for label element declaration. The old (deprecated) syntax consists of a single line with two fields separated by white space: the object class name, and a list of label elements as used by the mac_prepare(3) library calls prior to an application invocation of a function from mac_get(3).
The newer more preferred syntax consists of three fields separated by white space: the label group, object class name and a list of label elements.
Label element names may optionally begin with a `?' symbol to indicate that a failure to retrieve the label element for an object should be silently ignored, and improves usability if the set of MAC policies may change over time.
FILES /etc/mac.conf MAC library configuration file.
EXAMPLES The following example configures user applications to operate with four MAC policies: mac_biba(4), mac_mls(4), SEBSD, and mac_partition(4).
# # Default label set to be used by simple MAC applications
default_labels file ?biba,?lomac,?mls,?sebsd default_labels ifnet ?biba,?lomac,?mls,?sebsd default_labels process ?biba,?lomac,?mls,?partition,?sebsd default_labels socket ?biba,?lomac,?mls
# # Deprecated (old) syntax
default_file_labels ?biba,?mls,?sebsd default_ifnet_labels ?biba,?mls,?sebsd default_process_labels ?biba,?mls,partition,?sebsd
In this example, userland applications will attempt to retrieve Biba, MLS, and SEBSD labels for all object classes; for processes, they will additionally attempt to retrieve a Partition identifier. In all cases except the Partition identifier, failure to retrieve a label due to the respective policy not being present will be ignored.
SEE ALSO mac(3), mac_get(3), mac_prepare(3), mac(4), mac(9)
HISTORY Support for Mandatory Access Control was introduced in FreeBSD 5.0 as