Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MAC.CONF(5)		    BSD	File Formats Manual		   MAC.CONF(5)

     mac.conf -- format	of the MAC library configuration file

     The mac.conf file configures the default label elements to	be used	by
     policy-agnostic applications that operate on MAC labels.  A file contains
     a series of default label sets specified by object	class, in addition to
     blank lines and comments preceded by a `#'	symbol.

     Each declaration consists of a single line	with two fields	separated by
     white space: the object class name, and a list of label elements as used
     by	the mac_prepare(3) library calls prior to an application invocation of
     a function	from mac_get(3).  Label	element	names may optionally begin
     with a `?'	symbol to indicate that	a failure to retrieve the label	ele-
     ment for an object	should be silently ignored, and	improves usability if
     the set of	MAC policies may change	over time.

     The following example configures user applications	to operate with	four
     MAC policies: mac_biba(4),	mac_mls(4), SEBSD, and mac_partition(4).

	   # Default label set to be used by simple MAC	applications

	   default_file_labels ?biba,?mls,?sebsd
	   default_ifnet_labels	?biba,?mls,?sebsd
	   default_process_labels ?biba,?mls,partition,?sebsd

     In	this example, userland applications will attempt to retrieve Biba,
     MLS, and SEBSD labels for all object classes; for processes, they will
     additionally attempt to retrieve a	Partition identifier.  In all cases
     except the	Partition identifier, failure to retrieve a label due to the
     respective	policy not being present will be ignored.

     /etc/mac.conf  MAC	library	configuration file.

     mac(3), mac_get(3), mac_prepare(3), mac(4), mac(9)

     Support for Mandatory Access Control was introduced in FreeBSD 5.0	as
     part of the TrustedBSD Project.

     The TrustedBSD MAC	Framework and associated policies, interfaces, and ap-
     plications	are considered to be an	experimental feature in	FreeBSD.
     Sites considering production deployment should keep the experimental sta-
     tus of these services in mind during any deployment process.  See also
     mac(9) for	related	considerations regarding the kernel framework.

BSD				April 19, 2003				   BSD


Want to link to this manual page? Use this URL:

home | help