Introduction
The Mandatory Access Control, or MAC, framework allows administrators to finely control system security
by providing for a loadable security policy architecture. It is important to note that due to its
nature, MAC security policies may only restrict access relative to one another and the base system
policy; they cannot override traditional Unix security provisions such as file permissions and superuser
checks.
Currently, the following MAC policy modules are shipped with FreeBSD:
NameDescriptionLabelingLoadtimemac_biba(4) Biba integrity policy yes boot only
mac_bsdextended(4) File system firewall no any time
mac_ifoff(4) Interface silencing no any time
mac_lomac(4) Low-Watermark MAC policy yes boot only
mac_mls(4) Confidentiality policy yes boot only
mac_none(4) Sample no-op policy no any time
mac_partition(4) Process partition policy yes any time
mac_portacl(4) Port bind(2) access control no any time
mac_seeotheruids(4) See-other-UIDs policy no any time
mac_test(4) MAC testing policy no any time
MACLabels
Each system subject (processes, sockets, etc.) and each system object (file system objects, sockets,
etc.) can carry with it a MAC label. MAC labels contain data in an arbitrary format taken into
consideration in making access control decisions for a given operation. Most MAC labels on system
subjects and objects can be modified directly or indirectly by the system administrator. The format for
a given policy's label may vary depending on the type of object or subject being labeled. More
information on the format for MAC labels can be found in the maclabel(7) man page.
MACSupportforUFS2FileSystems
By default, file system enforcement of labeled MAC policies relies on a single file system label (see
“MAC Labels”) in order to make access control decisions for all the files in a particular file system.
With some policies, this configuration may not allow administrators to take full advantage of features.
In order to enable support for labeling files on an individual basis for a particular file system, the
“multilabel” flag must be enabled on the file system. To set the “multilabel” flag, drop to single-user
mode and unmount the file system, then execute the following command:
tunefs-lenablefilesystem
where filesystem is either the mount point (in fstab(5)) or the special file (in /dev) corresponding to
the file system on which to enable multilabel support.
PolicyEnforcement
Policy enforcement is divided into the following areas of the system:
FileSystem
File system mounts, modifying directories, modifying files, etc.
KLD
Loading, unloading, and retrieving statistics on loaded kernel modules
Network
Network interfaces, bpf(4), packet delivery and transmission, interface configuration (ioctl(2),
ifconfig(8))
Pipes
Creation of and operation on pipe(2) objects
Processes
Debugging (e.g. ktrace(2)), process visibility (ps(1)), process execution (execve(2)), signalling
(kill(2))
Sockets
Creation of and operation on socket(2) objects
System
Kernel environment (kenv(1)), system accounting (acct(2)), reboot(2), settimeofday(2), swapon(2),
sysctl(3), nfsd(8)-related operations
VMmmap(2)-ed files
SettingMACLabels
From the command line, each type of system object has its own means for setting and modifying its MAC
policy label.
Subject/ObjectUtility
File system object setfmac(8), setfsmac(8)
Network interface ifconfig(8)
TTY (by login class) login.conf(5)
User (by login class) login.conf(5)
Additionally, the su(1) and setpmac(8) utilities can be used to run a command with a different process
label than the shell's current label.
ProgrammingWithMAC
MAC security enforcement itself is transparent to application programs, with the exception that some
programs may need to be aware of additional errno(2) returns from various system calls.
The interface for retrieving, handling, and setting policy labels is documented in the mac(3) man page.
Install Now
PNG Icons
Emojis