|
MAC_BSDEXTENDED(4)
Contents
|
mac_bsdextended -- file system firewall policy
To compile the file system firewall policy into your kernel, place the
following lines in your kernel configuration file:
options MAC
options MAC_BSDEXTENDED
Alternately, to load the file system firewall policy module at boot time,
place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_bsdextended_load="YES"
The mac_bsdextended interface provides an interface for the system administrator
to impose mandatory rules regarding users and some system
objects. Rules are uploaded to the module (typically using ugidfw(8), or
some other tool utilizing libugidfw(3)) where they are stored internally
and used to determine whether to allow or deny specific accesses (see
ugidfw(8)).
While the traditional mac(9) entry points are implemented, policy labels
are not used; instead, access control decisions are made by iterating
through the internal list of rules until a rule which denies the particular
access is found, or the end of the list is reached.
libugidfw(3), mac(4), mac_biba(4), mac_ifoff(4), mac_lomac(4),
mac_mls(4), mac_none(4), mac_partition(4), mac_portacl(4),
mac_seeotheruids(4), mac_test(4), ugidfw(8), mac(9)
The mac_bsdextended policy module first appeared in FreeBSD 5.0 and was
developed by the TrustedBSD Project.
This software was contributed to the FreeBSD Project by NAI Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS
research program.
FreeBSD 5.2.1 October 16, 2002 FreeBSD 5.2.1 [ Back ] |