*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->FreeBSD man pages -> lomac (4)              



NAME    [Toc]    [Back]

     LOMAC -- Low-Watermark Mandatory Access Control security facility

SYNOPSIS    [Toc]    [Back]

     kldload lomac

DESCRIPTION    [Toc]    [Back]

     The LOMAC module provides a drop-in security mechanism in addition to the
     traditional POSIX UID-based security facilities, requiring no additional
     configuration from the administrator.  LOMAC aims to be two things: it is
     non-intrusive, so that the system with LOMAC will not feel largely different
 from the system without it, and will not require much modification
     to initialize; it is also comprehensive enough that a majority of attacks
     to compromise a system should fail.

     To this end, each process on the system will have a label of several
     attributes, including a ``high'' or ``low'' security level, attached to
     it, and these labels of integrity will be managed with a system cognizant
     of IPC (signals, debugging, sockets, pipes), path-based file system
     labels, virtual memory objects, and privileged system calls.  A process
     (or set of vmspace-sharing processes) will initially inherit the
     integrity level of its parent, which, at the point of LOMAC being started
     with kldload(8), will be high.  If it reads lower-integrity data from one
     of the controlled mechanisms, it will then decrease its integrity level,
     and access to modify higher-integrity data will be revoked.


     LOMAC on FreeBSD, as implemented currently, should properly respect all
     aspects of any chroot(8) or jail(8) operation performed after it has been
     initialized.  Pre-existing jail or chroot environments may not necessarily
 work completely.  LOMAC's file system should correctly respect the
     caching behavior of any of the system's file systems, and so work for any
     ``normal'' or ``synthetic'' file systems.	After loaded, another root
     mount(8) will exist on the system and appear as type ``lomacfs''.

FILES    [Toc]    [Back]

     See /sys/security/lomac/policy_plm.h for specific information on exactly
     how LOMAC has been compiled to control access to the file system.

COMPATIBILITY    [Toc]    [Back]

     Some programs, for example syslogd(8), may need to be restarted after
     LOMAC is initialized for them to continue proper operation.  This version
     of LOMAC has not had widespread testing, so some common programs have
     probably not been tested and could have issues that need to be worked
     around or fixed.

SEE ALSO    [Toc]    [Back]


HISTORY    [Toc]    [Back]

     LOMAC was initially implemented for Linux systems over the past several
     years.  Since then, this implementation was created via funding from the
     United States DARPA.  See the copyright for details.

AUTHORS    [Toc]    [Back]

     Brian Fundakowski Feldman <bfeldman@tislabs.com>
     Timothy Fraser <tfraser@tislabs.com>

BUGS    [Toc]    [Back]

     LOMAC has not gone through widespread testing yet, so many problems may
     still exist.  There is still yet one unfixed panic which is reproduceable
     under load (vrele(9) being called too many times).  The operation of
     mount(2) and unmount(2) may not work properly or at all once LOMAC has
     been loaded.  After being loaded, the system must be restarted to revert
     to a state without LOMAC.

FreeBSD 5.2.1		       November 20, 2001		 FreeBSD 5.2.1
[ Back ]
 Similar pages
Name OS Title
mac_lomac FreeBSD Low-watermark Mandatory Access Control data integrity policy
mac FreeBSD Mandatory Access Control
maclabel FreeBSD Mandatory Access Control label format
mac FreeBSD TrustedBSD Mandatory Access Control framework
tcpd FreeBSD access control facility for internet services
tcpd Linux access control facility for internet services
tcpd HP-UX access control facility for internet services
tcpd OpenBSD tcp wrappers access control facility for internet services
dialups HP-UX dialup security control
d_passwd HP-UX dialup security control
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service