| mac_bsdextended.4 (107626) | mac_bsdextended.4 (107717) |
|---|---|
| 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris 5.\" Costello at Safeport Network Services and NAI Labs, the Security 6.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR 7.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS 8.\" research program. --- 17 unchanged lines hidden (view full) --- 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" | 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris 5.\" Costello at Safeport Network Services and NAI Labs, the Security 6.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR 7.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS 8.\" research program. --- 17 unchanged lines hidden (view full) --- 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" |
| 34.\" $FreeBSD: head/share/man/man4/mac_bsdextended.4 107626 2002-12-05 00:05:38Z chris $ | 34.\" $FreeBSD: head/share/man/man4/mac_bsdextended.4 107717 2002-12-10 00:39:17Z chris $ |
| 35.Dd OCTOBER 16, 2002 36.Os 37.Dt MAC_BSDEXTENDED 4 38.Sh NAME 39.Nm mac_bsdextended | 35.Dd OCTOBER 16, 2002 36.Os 37.Dt MAC_BSDEXTENDED 4 38.Sh NAME 39.Nm mac_bsdextended |
| 40.Nd subject-object interaction rules policy | 40.Nd file system firewall policy |
| 41.Sh SYNOPSIS | 41.Sh SYNOPSIS |
| 42.\" .Cd options MAC_BSDEXTENDED 43.Li kldload mac_bsdextended | 42.\" To compile the file system firewall policy into your kernel, 43.\" place the following lines in your kernel configuration file: 44.\" .Cd "options MAC" 45.\" .Cd "options MAC_BSDEXTENDED" 46.\" .Pp 47.\" Alternately, to load the MLS module at boot time, place the following line 48To load the file system firewall policy module at boot time, 49place the following line in your kernel configuration file: 50.Cd "options MAC" 51.Pp 52and in 53.Xr loader.conf 5 : 54.Cd mac_bsdextended_load= Ns \&"YES" |
| 44.Sh DESCRIPTION 45The 46.Nm 47interface provides an interface for the system administrator 48to impose mandatory rules regarding users and some system objects. 49Rules are uploaded to the module 50(typically using | 55.Sh DESCRIPTION 56The 57.Nm 58interface provides an interface for the system administrator 59to impose mandatory rules regarding users and some system objects. 60Rules are uploaded to the module 61(typically using |
| 62.Xr ugidfw 8 , 63or some other tool utilizing |
|
| 51.Xr libugidfw 3 ) 52where they are stored internally 53and used to determine whether to allow or deny specific accesses 54(see 55.Xr ugidfw 8 ) . 56.Sh IMPLEMENTATION NOTES 57While the traditional 58.Xr mac 9 59entry points are implemented, 60policy labels are not used; 61instead, access control decisions are made by iterating through the internal 62list of rules until a rule 63which denies the particular access 64is found, 65or the end of the list is reached. 66.Sh SEE ALSO 67.Xr libugidfw 3 , | 64.Xr libugidfw 3 ) 65where they are stored internally 66and used to determine whether to allow or deny specific accesses 67(see 68.Xr ugidfw 8 ) . 69.Sh IMPLEMENTATION NOTES 70While the traditional 71.Xr mac 9 72entry points are implemented, 73policy labels are not used; 74instead, access control decisions are made by iterating through the internal 75list of rules until a rule 76which denies the particular access 77is found, 78or the end of the list is reached. 79.Sh SEE ALSO 80.Xr libugidfw 3 , |
| 81.Xr mac_biba 4 , 82.Xr mac_mls 4 , 83.Xr mac_none 4 , 84.Xr mac_seeotheruids 4 , 85.Xr mac_test 4 , |
|
| 68.Xr ugidfw 8 , 69.Xr mac 9 70.Sh HISTORY 71The 72.Nm | 86.Xr ugidfw 8 , 87.Xr mac 9 88.Sh HISTORY 89The 90.Nm |
| 73interface was first introduced in 74.Fx 5.0 . | 91policy module first appeared in 92.Fx 5.0 93and was developed by the TrustedBSD Project. |
| 75.Sh AUTHORS 76This software was contributed to the 77.Fx 78Project by NAI Labs, the Security Research Division of Network Associates 79Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 80as part of the DARPA CHATS research program. | 94.Sh AUTHORS 95This software was contributed to the 96.Fx 97Project by NAI Labs, the Security Research Division of Network Associates 98Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 99as part of the DARPA CHATS research program. |