Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MAC.CONF(5)               FreeBSD File Formats Manual              MAC.CONF(5)

     mac.conf -- format of the MAC library configuration file

     The mac.conf file configures the default label elements to be used by
     policy-agnostic applications that operate on MAC labels.  A file contains
     a series of default label sets specified by object class, in addition to
     blank lines and comments preceded by a `#' symbol.

     Currently, the implementation supports two syntax styles for label ele-
     ment declaration.  The old (deprecated) syntax consists of a single line
     with two fields separated by white space: the object class name, and a
     list of label elements as used by the mac_prepare(3) library calls prior
     to an application invocation of a function from mac_get(3).

     The newer more preferred syntax consists of three fields separated by
     white space: the label group, object class name and a list of label ele-

     Label element names may optionally begin with a `?' symbol to indicate
     that a failure to retrieve the label element for an object should be
     silently ignored, and improves usability if the set of MAC policies may
     change over time.

     /etc/mac.conf  MAC library configuration file.

     The following example configures user applications to operate with four
     MAC policies: mac_biba(4), mac_mls(4), SEBSD, and mac_partition(4).

           # Default label set to be used by simple MAC applications

           default_labels file ?biba,?lomac,?mls,?sebsd
           default_labels ifnet ?biba,?lomac,?mls,?sebsd
           default_labels process ?biba,?lomac,?mls,?partition,?sebsd
           default_labels socket ?biba,?lomac,?mls

           # Deprecated (old) syntax

           default_file_labels ?biba,?mls,?sebsd
           default_ifnet_labels ?biba,?mls,?sebsd
           default_process_labels ?biba,?mls,partition,?sebsd

     In this example, userland applications will attempt to retrieve Biba,
     MLS, and SEBSD labels for all object classes; for processes, they will
     additionally attempt to retrieve a Partition identifier.  In all cases
     except the Partition identifier, failure to retrieve a label due to the
     respective policy not being present will be ignored.

     mac(3), mac_get(3), mac_prepare(3), mac(4), mac(9)

     Support for Mandatory Access Control was introduced in FreeBSD 5.0 as
     part of the TrustedBSD Project.

     The TrustedBSD MAC Framework and associated policies, interfaces, and
     applications are considered to be an experimental feature in FreeBSD.
     Sites considering production deployment should keep the experimental sta-
     tus of these services in mind during any deployment process.  See also
     mac(9) for related considerations regarding the kernel framework.

FreeBSD 6.2                     April 19, 2003                     FreeBSD 6.2


Want to link to this manual page? Use this URL:

home | help