*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->FreeBSD man pages -> mac (3)              
Title
Content
Arch
Section
 

MAC(3)

Contents


NAME    [Toc]    [Back]

     mac -- introduction to the MAC security API

LIBRARY    [Toc]    [Back]

     Standard C Library (libc, -lc)

SYNOPSIS    [Toc]    [Back]

     #include <sys/mac.h>

     In the kernel configuration file:
     options MAC

DESCRIPTION    [Toc]    [Back]

     FreeBSD permits administrators to define Mandatory Access Control labels
     defining levels for the privacy and integrity of data, overriding discretionary
 policies for those objects.  Not all objects currently provide
     support for MAC labels, and MAC support must be explicitly enabled by the
     administrator.  The library calls include routines to retrieve, duplicate,
 and set MAC labels associated with files and processes.

     POSIX.1e describes a set of MAC manipulation routines to manage the contents
 of MAC labels, as well as their relationships with files and processes;
 almost all of these support routines are implemented in FreeBSD.

     Available functions, sorted by behavior, include:

     mac_get_fd()
	     This function is described in mac_get(3), and may be used to
	     retrieve the MAC label associated with a specific file descriptor.


     mac_get_file()
	     This function is described in mac_get(3), and may be used to
	     retrieve the MAC label associated with a named file.

     mac_get_proc()
	     This function is described in mac_get(3), and may be used to
	     retrieve the MAC label associated with the calling process.

     mac_set_fd()
	     This function is described in mac_set(3), and may be used to set
	     the MAC label associated with a specific file descriptor.

     mac_set_file()
	     This function is described in mac_set(3), and may be used to set
	     the MAC label associated with a named file.

     mac_set_proc()
	     This function is described in mac_set(3), and may be used to set
	     the MAC label associated with the calling process.

     mac_free()
	     This function is described in mac_free(3), and may be used to
	     free userland working MAC label storage.

     mac_from_text()
	     This function is described in mac_text(3), and may be used to
	     convert a text-form MAC label into a working mac_t.

     mac_prepare()

     mac_prepare_file_label()

     mac_prepare_ifnet_label()

     mac_prepare_process_label()
	     These functions are described in mac_prepare(3), and may be used
	     to preallocate storage for MAC label retrieval.  mac_prepare(3)
	     prepares a label based on caller-specified label names; the other
	     calls rely on the default configuration specified in mac.conf(5).

     mac_to_text()
	     This function is described in mac_text(3), and may be used to
	     convert a mac_t into a text-form MAC label.
     The behavior of some of these calls is influenced by the configuration
     settings found in mac.conf(5), the MAC library run-time configuration
     file.

FILES    [Toc]    [Back]

     /etc/mac.conf  MAC library configuration file, documented in mac.conf(5).
		    Provides default behavior for applications aware of MAC
		    labels on system objects, but without policy-specific
		    knowledge.

IMPLEMENTATION NOTES    [Toc]    [Back]

     FreeBSD's support for POSIX.1e interfaces and features is currently under
     development.

SEE ALSO    [Toc]    [Back]

      
      
     mac_free(3), mac_get(3), mac_prepare(3), mac_set(3), mac_text(3), mac(4),
     mac.conf(5), mac(9)

STANDARDS    [Toc]    [Back]

     These APIs are loosely based on the APIs described in POSIX.1e.  POSIX.1e
     is described in IEEE POSIX.1e draft 17.  Discussion of the draft continues
 on the cross-platform POSIX.1e implementation mailing list.  To join
     this list, see the FreeBSD POSIX.1e implementation page for more information.
  However, the resemblence of these APIs to the POSIX APIs is only
     loose, as the POSIX APIs were unable to express many notions required for
     flexible and extensible access control.

HISTORY    [Toc]    [Back]

     Support for Mandatory Access Control was introduced in FreeBSD 5.0 as
     part of the TrustedBSD Project.

BUGS    [Toc]    [Back]

     The TrustedBSD MAC Framework and associated policies, interfaces, and
     applications are considered to be an experimental feature in FreeBSD.
     Sites considering production deployment should keep the experimental status
 of these services in mind during any deployment process.  See also
     mac(9) for related considerations regarding the kernel framework.


FreeBSD 5.2.1			April 19, 2003			 FreeBSD 5.2.1
[ Back ]
 Similar pages
Name OS Title
posix1e OpenBSD introduction to the POSIX.1e security API
security FreeBSD introduction to security under FreeBSD
posix1e FreeBSD introduction to the POSIX.1e security API
acl FreeBSD introduction to the POSIX.1e ACL security API
sec_intro HP-UX Introduction to the DCE Security administrative files
sec_intro HP-UX Introduction to the DCE Security administrative commands
t6ext_attr IRIX Activate extended security attributes or set policy on security attribute change
db_archive Tru64 displays security database log files no longer involved in active transactions (Enhanced Security)
secconfig Tru64 Security features setup graphical interface (Enhanced Security)
secsetup Tru64 Security features setup graphical interface (Enhanced Security)
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service