The Mandatory Access Control, or MAC, framework allows administrators to
finely control system security by providing for a loadable security policy
architecture.
It is important to note that due to its nature, MAC security policies may
only restrict access relative to one another and the base system policy;
they cannot override traditional
UNIX
security provisions such as file permissions and superuser checks.
Currently, the following MAC policy modules are shipped with
Fx :
Each system subject (processes, sockets, etc.) and each system object
(file system objects, sockets, etc.) can carry with it a MAC label.
MAC labels contain data in an arbitrary format
taken into consideration in making access control decisions
for a given operation.
Most MAC labels on system subjects and objects
can be modified directly or indirectly by the system
administrator.
The format for a given policy's label may vary depending on the type
of object or subject being labeled.
More information on the format for MAC labels can be found in the
maclabel(7)
man page.
MAC Support for UFS2 File Systems
By default, file system enforcement of labeled MAC policies relies on
a single file system label
(see
Sx MAC Labels )
in order to make access control decisions for all the files in a particular
file system.
With some policies, this configuration may not allow administrators to take
full advantage of features.
In order to enable support for labeling files on an individual basis
for a particular file system,
the
``multilabel''
flag must be enabled on the file system.
To set the
``multilabel''
flag, drop to single-user mode and unmount the file system,
then execute the following command:
"tunefs -l enable" filesystem
where
filesystem
is either the mount point
(in
fstab(5))
or the special file
(in
/dev
corresponding to the file system on which to enable multilabel support.
Policy Enforcement
Policy enforcement is divided into the following areas of the system:
File System
File system mounts, modifying directories, modifying files, etc.
KLD
Loading, unloading, and retrieving statistics on loaded kernel modules
Additionally, the
su(1)
and
setpmac(8)
utilities can be used to run a command with a different process label than
the shell's current label.
Programming With MAC
MAC security enforcement itself is transparent to application
programs, with the exception that some programs may need to be aware of
additional
errno(2)
returns from various system calls.
The interface for retrieving, handling, and setting policy labels
is documented in the
mac(3)
man page.
The
implementation first appeared in
Fx 5.0
and was developed by the
TrustedBSD
Project.
AUTHORS
This software was contributed to the
Fx Project by Network Associates Labs,
the Security Research Division of Network Associates
Inc.
under DARPA/SPAWAR contract N66001-01-C-8035
(``CBOSS''
)
as part of the DARPA CHATS research program.
BUGS
See
mac(9)
concerning appropriateness for production use.
The
TrustedBSD
MAC Framework is considered experimental in
Fx .
While the MAC Framework design is intended to support the containment of
the root user, not all attack channels are currently protected by entry
point checks.
As such, MAC Framework policies should not be relied on, in isolation,
to protect against a malicious privileged user.
