Path: blob/main/documentation/content/en/books/handbook/mac/_index.po
18098 views
# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2026-02-22 15:58+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <[email protected]>\n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/books/handbook/mac/_index.adoc:1 #, no-wrap msgid "This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms" msgstr "" #. type: YAML Front Matter: part #: documentation/content/en/books/handbook/mac/_index.adoc:1 #, no-wrap msgid "Part III. System Administration" msgstr "" #. type: YAML Front Matter: title #: documentation/content/en/books/handbook/mac/_index.adoc:1 #, no-wrap msgid "Chapter 18. Mandatory Access Control" msgstr "" #. type: Title = #: documentation/content/en/books/handbook/mac/_index.adoc:15 #, no-wrap msgid "Mandatory Access Control" msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:53 #, no-wrap msgid "Synopsis" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:62 msgid "" "FreeBSD supports security extensions based on the POSIX(R).1e draft. These " "security mechanisms include file system Access Control Lists " "(crossref:security[fs-acl,“Access Control Lists”]) and Mandatory Access " "Control (MAC). MAC allows access control modules to be loaded in order to " "implement security policies. Some modules provide protections for a narrow " "subset of the system, hardening a particular service. Others provide " "comprehensive labeled security across all subjects and objects. The " "mandatory part of the definition indicates that enforcement of controls is " "performed by administrators and the operating system. This is in contrast " "to the default security mechanism of Discretionary Access Control (DAC) " "where enforcement is left to the discretion of users." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:64 msgid "" "This chapter focuses on the MAC framework and the set of pluggable security " "policy modules FreeBSD provides for enabling various security mechanisms." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:66 msgid "Read this chapter to learn:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:68 msgid "The terminology associated with the MAC framework." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:69 msgid "" "The capabilities of MAC security policy modules as well as the difference " "between a labeled and non-labeled policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:70 msgid "" "The considerations to take into account before configuring a system to use " "the MAC framework." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:71 msgid "" "Which MAC security policy modules are included in FreeBSD and how to " "configure them." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:72 msgid "How to implement a more secure environment using the MAC framework." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:73 msgid "" "How to test the MAC configuration to ensure the framework has been properly " "implemented." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:75 msgid "Before reading this chapter:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:77 msgid "" "Understand UNIX(R) and FreeBSD basics (crossref:basics[basics,FreeBSD " "Basics])." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:78 msgid "" "Have some familiarity with security and how it pertains to FreeBSD " "(crossref:security[security,Security])." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:85 msgid "" "Improper MAC configuration may cause loss of system access, aggravation of " "users, or inability to access the features provided by Xorg. More " "importantly, MAC should not be relied upon to completely secure a system. " "The MAC framework only augments an existing security policy. Without sound " "security practices and regular security checks, the system will never be " "completely secure." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:88 msgid "" "The examples contained within this chapter are for demonstration purposes " "and the example settings should _not_ be implemented on a production " "system. Implementing any security policy takes a good deal of " "understanding, proper design, and thorough testing." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:93 msgid "" "While this chapter covers a broad range of security issues relating to the " "MAC framework, the development of new MAC security policy modules will not " "be covered. A number of security policy modules included with the MAC " "framework have specific characteristics which are provided for both testing " "and new module development. Refer to man:mac_test[4], man:mac_stub[4] and " "man:mac_none[4] for more information on these security policy modules and " "the various mechanisms they provide." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:95 #, no-wrap msgid "Key Terms" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:98 msgid "The following key terms are used when referring to the MAC framework:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:100 msgid "" "_compartment_: a set of programs and data to be partitioned or separated, " "where users are given explicit access to specific component of a system. A " "compartment represents a grouping, such as a work group, department, " "project, or topic. Compartments make it possible to implement a need-to-know-" "basis security policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:101 msgid "" "_integrity_: the level of trust which can be placed on data. As the " "integrity of the data is elevated, so does the ability to trust that data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:102 msgid "" "_level_: the increased or decreased setting of a security attribute. As the " "level increases, its security is considered to elevate as well." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:103 msgid "" "_label_: a security attribute which can be applied to files, directories, or " "other items in the system. It could be considered a confidentiality stamp. " "When a label is placed on a file, it describes the security properties of " "that file and will only permit access by files, users, and resources with a " "similar security setting. The meaning and interpretation of label values " "depends on the policy configuration. Some policies treat a label as " "representing the integrity or secrecy of an object while other policies " "might use labels to hold rules for access." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:104 msgid "" "_multilabel_: this property is a file system option which can be set in " "single-user mode using man:tunefs[8], during boot using man:fstab[5], or " "during the creation of a new file system. This option permits an " "administrator to apply different MAC labels on different objects. This " "option only applies to security policy modules which support labeling." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:105 msgid "" "_single label_: a policy where the entire file system uses one label to " "enforce access control over the flow of data. Whenever `multilabel` is not " "set, all files will conform to the same label setting." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:106 msgid "" "_object_: an entity through which information flows under the direction of a " "_subject_. This includes directories, files, fields, screens, keyboards, " "memory, magnetic storage, printers or any other data storage or moving " "device. An object is a data container or a system resource. Access to an " "object effectively means access to its data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:107 msgid "" "_subject_: any active entity that causes information to flow between " "_objects_ such as a user, user process, or system process. On FreeBSD, this " "is almost always a thread acting in a process on behalf of a user." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:108 msgid "" "_policy_: a collection of rules which defines how objectives are to be " "achieved. A policy usually documents how certain items are to be handled. " "This chapter considers a policy to be a collection of rules which controls " "the flow of data and information and defines who has access to that data and " "information." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:109 msgid "" "_high-watermark_: this type of policy permits the raising of security levels " "for the purpose of accessing higher level information. In most cases, the " "original level is restored after the process is complete. Currently, the " "FreeBSD MAC framework does not include this type of policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:110 msgid "" "_low-watermark_: this type of policy permits lowering security levels for " "the purpose of accessing information which is less secure. In most cases, " "the original security level of the user is restored after the process is " "complete. The only security policy module in FreeBSD to use this is " "man:mac_lomac[4]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:111 msgid "" "_sensitivity_: usually used when discussing Multilevel Security (MLS). A " "sensitivity level describes how important or secret the data should be. As " "the sensitivity level increases, so does the importance of the secrecy, or " "confidentiality, of the data." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:113 #, no-wrap msgid "Understanding MAC Labels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:118 msgid "" "A MAC label is a security attribute which may be applied to subjects and " "objects throughout the system. When setting a label, the administrator must " "understand its implications in order to prevent unexpected or undesired " "behavior of the system. The attributes available on an object depend on the " "loaded policy module, as policy modules interpret their attributes in " "different ways." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:122 msgid "" "The security label on an object is used as a part of a security access " "control decision by a policy. With some policies, the label contains all of " "the information necessary to make a decision. In other policies, the labels " "may be processed as part of a larger rule set." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:126 msgid "" "There are two types of label policies: single label and multi label. By " "default, the system will use single label. The administrator should be " "aware of the pros and cons of each in order to implement policies which meet " "the requirements of the system's security model." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:130 msgid "" "A single label security policy only permits one label to be used for every " "subject or object. Since a single label policy enforces one set of access " "permissions across the entire system, it provides lower administration " "overhead, but decreases the flexibility of policies which support labeling. " "However, in many environments, a single label policy may be all that is " "required." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:134 msgid "" "A single label policy is somewhat similar to DAC as `root` configures the " "policies so that users are placed in the appropriate categories and access " "levels. A notable difference is that many policy modules can also restrict " "`root`. Basic control over objects will then be released to the group, but " "`root` may revoke or modify the settings at any time." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:139 msgid "" "When appropriate, a multi label policy can be set on a UFS file system by " "passing `multilabel` to man:tunefs[8]. A multi label policy permits each " "subject or object to have its own independent MAC label. The decision to " "use a multi label or single label policy is only required for policies which " "implement the labeling feature, such as `biba`, `lomac`, and `mls`. Some " "policies, such as `seeotheruids`, `portacl` and `partition`, do not use " "labels at all." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:142 msgid "" "Using a multi label policy on a partition and establishing a multi label " "security model can increase administrative overhead as everything in that " "file system has a label. This includes directories, files, and even device " "nodes." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:145 msgid "" "The following command will set `multilabel` on the specified UFS file " "system. This may only be done in single-user mode and is not a requirement " "for the swap file system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:149 #, no-wrap msgid "# tunefs -l enable /\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:155 msgid "" "Some users have experienced problems with setting the `multilabel` flag on " "the root partition. If this is the case, please review crossref:mac[mac-" "troubleshoot, Troubleshooting the MAC Framework]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:161 msgid "" "Since the multi label policy is set on a per-file system basis, a multi " "label policy may not be needed if the file system layout is well designed. " "Consider an example security MAC model for a FreeBSD web server. This " "machine uses the single label, `biba/high`, for everything in the default " "file systems. If the web server needs to run at `biba/low` to prevent write " "up capabilities, it could be installed to a separate UFS [.filename]#/usr/" "local# file system set at `biba/low`." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:162 #, no-wrap msgid "Label Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:166 msgid "" "Virtually all aspects of label policy module configuration will be performed " "using the base system utilities. These commands provide a simple interface " "for object or subject configuration or the manipulation and verification of " "the configuration." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:169 msgid "" "All configuration may be done using `setfmac`, which is used to set MAC " "labels on system objects, and `setpmac`, which is used to set the labels on " "system subjects. For example, to set the `biba` MAC label to `high` on " "[.filename]#test#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:173 #, no-wrap msgid "# setfmac biba/high test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:181 msgid "" "If the configuration is successful, the prompt will be returned without " "error. A common error is `Permission denied` which usually occurs when the " "label is being set or modified on a restricted object. Other conditions may " "produce different failures. For instance, the file may not be owned by the " "user attempting to relabel the object, the object may not exist, or the " "object may be read-only. A mandatory policy will not allow the process to " "relabel the file, maybe because of a property of the file, a property of the " "process, or a property of the proposed new label value. For example, if a " "user running at low integrity tries to change the label of a high integrity " "file, or a user running at low integrity tries to change the label of a low " "integrity file to a high integrity label, these operations will fail." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:183 msgid "" "The system administrator may use `setpmac` to override the policy module's " "settings by assigning a different label to the invoked process:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:191 #, no-wrap msgid "" "# setfmac biba/high test\n" "Permission denied\n" "# setpmac biba/low setfmac biba/high test\n" "# getfmac test\n" "test: biba/high\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:196 msgid "" "For currently running processes, such as sendmail, `getpmac` is usually used " "instead. This command takes a process ID (PID) in place of a command name. " "If users attempt to manipulate a file not in their access, subject to the " "rules of the loaded policy modules, the `Operation not permitted` error will " "be displayed." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:197 #, no-wrap msgid "Predefined Labels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:200 msgid "" "A few FreeBSD policy modules which support the labeling feature offer three " "predefined labels: `low`, `equal`, and `high`, where:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:202 msgid "" "`low` is considered the lowest label setting an object or subject may have. " "Setting this on objects or subjects blocks their access to objects or " "subjects marked high." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:203 msgid "" "`equal` sets the subject or object to be disabled or unaffected and should " "only be placed on objects considered to be exempt from the policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:204 msgid "" "`high` grants an object or subject the highest setting available in the Biba " "and MLS policy modules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:208 msgid "" "Such policy modules include man:mac_biba[4], man:mac_mls[4] and " "man:mac_lomac[4]. Each of the predefined labels establishes a different " "information flow directive. Refer to the manual page of the module to " "determine the traits of the generic label configurations." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:209 #, no-wrap msgid "Numeric Labels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:214 msgid "" "The Biba and MLS policy modules support a numeric label which may be set to " "indicate the precise level of hierarchical control. This numeric level is " "used to partition or sort information into different groups of " "classification, only permitting access to that group or a higher group " "level. For example:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:218 #, no-wrap msgid "biba/10:2+3+6(5:2+3-20:2+3+4+5+6)\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:221 msgid "" "may be interpreted as \"Biba Policy Label/Grade 10:Compartments 2, 3 and 6: " "(grade 5 ...\")" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:224 msgid "" "In this example, the first grade would be considered the effective grade " "with effective compartments, the second grade is the low grade, and the last " "one is the high grade. In most configurations, such fine-grained settings " "are not needed as they are considered to be advanced configurations." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:227 msgid "" "System objects only have a current grade and compartment. System subjects " "reflect the range of available rights in the system, and network interfaces, " "where they are used for access control." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:232 msgid "" "The grade and compartments in a subject and object pair are used to " "construct a relationship known as _dominance_, in which a subject dominates " "an object, the object dominates the subject, neither dominates the other, or " "both dominate each other. The \"both dominate\" case occurs when the two " "labels are equal. Due to the information flow nature of Biba, a user has " "rights to a set of compartments that might correspond to projects, but " "objects also have a set of compartments. Users may have to subset their " "rights using `su` or `setpmac` in order to access objects in a compartment " "from which they are not restricted." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:233 #, no-wrap msgid "User Labels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:238 msgid "" "Users are required to have labels so that their files and processes properly " "interact with the security policy defined on the system. This is configured " "in [.filename]#/etc/login.conf# using login classes. Every policy module " "that uses labels will implement the user class setting." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:243 msgid "" "To set the user class default label which will be enforced by MAC, add a " "`label` entry. An example `label` entry containing every policy module is " "displayed below. Note that in a real configuration, the administrator would " "never enable every policy module. It is recommended that the rest of this " "chapter be reviewed before any configuration is implemented." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:268 #, no-wrap msgid "" "default:\\\n" "\t:welcome=/etc/motd:\\\n" "\t:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\\\n" "\t:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\\\n" "\t:manpath=/usr/share/man /usr/local/man:\\\n" "\t:nologin=/usr/sbin/nologin:\\\n" "\t:cputime=1h30m:\\\n" "\t:datasize=8M:\\\n" "\t:vmemoryuse=100M:\\\n" "\t:stacksize=2M:\\\n" "\t:memorylocked=4M:\\\n" "\t:memoryuse=8M:\\\n" "\t:filesize=8M:\\\n" "\t:coredumpsize=8M:\\\n" "\t:openfiles=24:\\\n" "\t:maxproc=32:\\\n" "\t:priority=0:\\\n" "\t:requirehome:\\\n" "\t:passwordtime=91d:\\\n" "\t:umask=022:\\\n" "\t:ignoretime@:\\\n" "\t:label=partition/13,mls/5,biba/10(5-15),lomac/10[2]:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:273 msgid "" "While users can not modify the default value, they may change their label " "after they login, subject to the constraints of the policy. The example " "above tells the Biba policy that a process's minimum integrity is `5`, its " "maximum is `15`, and the default effective label is `10`. The process will " "run at `10` until it chooses to change label, perhaps due to the user using " "`setpmac`, which will be constrained by Biba to the configured range." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:275 msgid "" "After any change to [.filename]#login.conf#, the login class capability " "database must be rebuilt using `cap_mkdb`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:278 msgid "" "Many sites have a large number of users requiring several different user " "classes. In depth planning is required as this can become difficult to " "manage." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:279 #, no-wrap msgid "Network Interface Labels" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:284 msgid "" "Labels may be set on network interfaces to help control the flow of data " "across the network. Policies using network interface labels function in the " "same way that policies function with respect to objects. Users at high " "settings in Biba, for example, will not be permitted to access network " "interfaces with a label of `low`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:286 msgid "" "When setting the MAC label on network interfaces, `maclabel` may be passed " "to `ifconfig`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:290 #, no-wrap msgid "# ifconfig bge0 maclabel biba/equal\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:294 msgid "" "This example will set the MAC label of `biba/equal` on the `bge0` " "interface. When using a setting similar to `biba/high(low-high)`, the " "entire label should be quoted to prevent an error from being returned." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:298 msgid "" "Each policy module which supports labeling has a tunable which may be used " "to disable the MAC label on network interfaces. Setting the label to " "`equal` will have a similar effect. Review the output of `sysctl`, the " "policy manual pages, and the information in the rest of this chapter for " "more information on those tunables." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:300 #, no-wrap msgid "Planning the Security Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:304 msgid "" "Before implementing any MAC policies, a planning phase is recommended. " "During the planning stages, an administrator should consider the " "implementation requirements and goals, such as:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:306 msgid "" "How to classify information and resources available on the target systems." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:307 msgid "" "Which information or resources to restrict access to along with the type of " "restrictions that should be applied." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:308 msgid "Which MAC modules will be required to achieve this goal." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:311 msgid "" "A trial run of the trusted system and its configuration should occur " "_before_ a MAC implementation is used on production systems. Since " "different environments have different needs and requirements, establishing a " "complete security profile will decrease the need of changes once the system " "goes live." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:317 msgid "" "Consider how the MAC framework augments the security of the system as a " "whole. The various security policy modules provided by the MAC framework " "could be used to protect the network and file systems or to block users from " "accessing certain ports and sockets. Perhaps the best use of the policy " "modules is to load several security policy modules at a time in order to " "provide a MLS environment. This approach differs from a hardening policy, " "which typically hardens elements of a system which are used only for " "specific purposes. The downside to MLS is increased administrative overhead." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:321 msgid "" "The overhead is minimal when compared to the lasting effect of a framework " "which provides the ability to pick and choose which policies are required " "for a specific configuration and which keeps performance overhead down. The " "reduction of support for unneeded policies can increase the overall " "performance of the system as well as offer flexibility of choice. A good " "implementation would consider the overall security requirements and " "effectively implement the various security policy modules offered by the " "framework." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:324 msgid "" "A system utilizing MAC guarantees that a user will not be permitted to " "change security attributes at will. All user utilities, programs, and " "scripts must work within the constraints of the access rules provided by the " "selected security policy modules and control of the MAC access rules is in " "the hands of the system administrator." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:328 msgid "" "It is the duty of the system administrator to carefully select the correct " "security policy modules. For an environment that needs to limit access " "control over the network, the man:mac_portacl[4], man:mac_ifoff[4], and " "man:mac_biba[4] policy modules make good starting points. For an " "environment where strict confidentiality of file system objects is required, " "consider the man:mac_bsdextended[4] and man:mac_mls[4] policy modules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:335 msgid "" "Policy decisions could be made based on network configuration. If only " "certain users should be permitted access to man:ssh[1], the " "man:mac_portacl[4] policy module is a good choice. In the case of file " "systems, access to objects might be considered confidential to some users, " "but not to others. As an example, a large development team might be broken " "off into smaller projects where developers in project A might not be " "permitted to access objects written by developers in project B. Yet both " "projects might need to access objects created by developers in project C. " "Using the different security policy modules provided by the MAC framework, " "users could be divided into these groups and then given access to the " "appropriate objects." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:339 msgid "" "Each security policy module has a unique way of dealing with the overall " "security of a system. Module selection should be based on a well thought " "out security policy which may require revision and reimplementation. " "Understanding the different security policy modules offered by the MAC " "framework will help administrators choose the best policies for their " "situations." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:341 msgid "" "The rest of this chapter covers the available modules, describes their use " "and configuration, and in some cases, provides insight on applicable " "situations." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:346 msgid "" "Implementing MAC is much like implementing a firewall since care must be " "taken to prevent being completely locked out of the system. The ability to " "revert back to a previous configuration should be considered and the " "implementation of MAC over a remote connection should be done with extreme " "caution." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:349 #, no-wrap msgid "Available MAC Policies" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:355 msgid "" "The default FreeBSD kernel includes `options MAC`. This means that every " "module included with the MAC framework can be loaded with `kldload` as a run-" "time kernel module. After testing the module, add the module name to " "[.filename]#/boot/loader.conf# so that it will load during boot. Each " "module also provides a kernel option for those administrators who choose to " "compile their own custom kernel." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:358 msgid "" "FreeBSD includes a group of policies that will cover most security " "requirements. Each policy is summarized below. The last three policies " "support integer settings in place of the three default labels." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:360 #, no-wrap msgid "The MAC See Other UIDs Policy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:363 msgid "Module name: [.filename]#mac_seeotheruids.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:365 msgid "Kernel configuration line: `options MAC_SEEOTHERUIDS`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:367 msgid "Boot option: `mac_seeotheruids_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:370 msgid "" "The man:mac_seeotheruids[4] module extends the `security.bsd.see_other_uids` " "and `security.bsd.see_other_gids sysctl` tunables. This option does not " "require any labels to be set before configuration and can operate " "transparently with other modules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:372 msgid "" "After loading the module, the following `sysctl` tunables may be used to " "control its features:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:374 msgid "" "`security.mac.seeotheruids.enabled` enables the module and implements the " "default settings which deny users the ability to view processes and sockets " "owned by other users." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:375 msgid "" "`security.mac.seeotheruids.specificgid_enabled` allows specified groups to " "be exempt from this policy. To exempt specific groups, use the " "`security.mac.seeotheruids.specificgid=_XXX_ sysctl` tunable, replacing " "_XXX_ with the numeric group ID to be exempted." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:376 msgid "" "`security.mac.seeotheruids.primarygroup_enabled` is used to exempt specific " "primary groups from this policy. When using this tunable, " "`security.mac.seeotheruids.specificgid_enabled` may not be set." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:378 #, no-wrap msgid "The MAC BSD Extended Policy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:381 msgid "Module name: [.filename]#mac_bsdextended.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:383 msgid "Kernel configuration line: `options MAC_BSDEXTENDED`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:385 msgid "Boot option: `mac_bsdextended_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:391 msgid "" "The man:mac_bsdextended[4] module enforces a file system firewall. It " "provides an extension to the standard file system permissions model, " "permitting an administrator to create a firewall-like ruleset to protect " "files, utilities, and directories in the file system hierarchy. When access " "to a file system object is attempted, the list of rules is iterated until " "either a matching rule is located or the end is reached. This behavior may " "be changed using `security.mac.bsdextended.firstmatch_enabled`. Similar to " "other firewall modules in FreeBSD, a file containing the access control " "rules can be created and read by the system at boot time using an " "man:rc.conf[5] variable." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:394 msgid "" "The rule list may be entered using man:ugidfw[8] which has a syntax similar " "to man:ipfw[8]. More tools can be written by using the functions in the " "man:libugidfw[3] library." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:396 msgid "" "After the man:mac_bsdextended[4] module has been loaded, the following " "command may be used to list the current rule configuration:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:401 #, no-wrap msgid "" "# ugidfw list\n" "0 slots, 0 rules\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:405 msgid "" "By default, no rules are defined and everything is completely accessible. " "To create a rule which blocks all access by users but leaves `root` " "unaffected:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:409 #, no-wrap msgid "# ugidfw add subject not uid root new object not uid root mode n\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:413 msgid "" "While this rule is simple to implement, it is a very bad idea as it blocks " "all users from issuing any commands. A more realistic example blocks " "`user1` all access, including directory listings, to ``_user2_``'s home " "directory:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:418 #, no-wrap msgid "" "# ugidfw set 2 subject uid user1 object uid user2 mode n\n" "# ugidfw set 3 subject uid user1 object gid user2 mode n\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:422 msgid "" "Instead of `user1`, `not uid _user2_` could be used in order to enforce the " "same access restrictions for all users. However, the `root` user is " "unaffected by these rules." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:426 msgid "" "Extreme caution should be taken when working with this module as incorrect " "use could block access to certain parts of the file system." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:429 #, no-wrap msgid "The MAC Interface Silencing Policy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:432 msgid "Module name: [.filename]#mac_ifoff.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:434 msgid "Kernel configuration line: `options MAC_IFOFF`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:436 msgid "Boot option: `mac_ifoff_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:439 msgid "" "The man:mac_ifoff[4] module is used to disable network interfaces on the fly " "and to keep network interfaces from being brought up during system boot. It " "does not use labels and does not depend on any other MAC modules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:441 msgid "" "Most of this module's control is performed through these `sysctl` tunables:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:443 msgid "" "`security.mac.ifoff.lo_enabled` enables or disables all traffic on the " "loopback, man:lo[4], interface." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:444 msgid "" "`security.mac.ifoff.bpfrecv_enabled` enables or disables all traffic on the " "Berkeley Packet Filter interface, man:bpf[4]." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:445 msgid "" "`security.mac.ifoff.other_enabled` enables or disables traffic on all other " "interfaces." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:448 msgid "" "One of the most common uses of man:mac_ifoff[4] is network monitoring in an " "environment where network traffic should not be permitted during the boot " "sequence. Another use would be to write a script which uses an application " "such as package:security/aide[] to automatically block network traffic if it " "finds new or altered files in protected directories." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:450 #, no-wrap msgid "The MAC Port Access Control List Policy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:453 msgid "Module name: [.filename]#mac_portacl.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:455 msgid "Kernel configuration line: `MAC_PORTACL`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:457 msgid "Boot option: `mac_portacl_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:459 msgid "" "The man:mac_portacl[4] module is used to limit binding to local TCP and UDP " "ports, making it possible to allow non-`root` users to bind to specified " "privileged ports below 1024." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:462 msgid "" "Once loaded, this module enables the MAC policy on all sockets. The " "following tunables are available:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:464 msgid "" "`security.mac.portacl.enabled` enables or disables the policy completely." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:465 msgid "" "`security.mac.portacl.port_high` sets the highest port number that " "man:mac_portacl[4] protects." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:466 msgid "" "`security.mac.portacl.suser_exempt`, when set to a non-zero value, exempts " "the `root` user from this policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:467 msgid "" "`security.mac.portacl.rules` specifies the policy as a text string of the " "form `rule[,rule,...]`, with as many rules as needed, and where each rule is " "of the form `idtype:id:protocol:port`. The `idtype` is either `uid` or " "`gid`. The `protocol` parameter can be `tcp` or `udp`. The `port` parameter " "is the port number to allow the specified user or group to bind to. Only " "numeric values can be used for the user ID, group ID, and port parameters." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:470 msgid "" "By default, ports below 1024 can only be used by privileged processes which " "run as `root`. For man:mac_portacl[4] to allow non-privileged processes to " "bind to ports below 1024, set the following tunables as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:476 #, no-wrap msgid "" "# sysctl security.mac.portacl.port_high=1023\n" "# sysctl net.inet.ip.portrange.reservedlow=0\n" "# sysctl net.inet.ip.portrange.reservedhigh=0\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:479 msgid "" "To prevent the `root` user from being affected by this policy, set " "`security.mac.portacl.suser_exempt` to a non-zero value." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:483 #, no-wrap msgid "# sysctl security.mac.portacl.suser_exempt=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:486 msgid "" "To allow the `www` user with UID 80 to bind to port 80 without ever needing " "`root` privilege:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:490 #, no-wrap msgid "# sysctl security.mac.portacl.rules=uid:80:tcp:80\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:493 msgid "" "This next example permits the user with the UID of 1001 to bind to TCP ports " "110 (POP3) and 995 (POP3s):" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:497 #, no-wrap msgid "# sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:500 #, no-wrap msgid "The MAC Partition Policy" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:503 msgid "Module name: [.filename]#mac_partition.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:505 msgid "Kernel configuration line: `options MAC_PARTITION`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:507 msgid "Boot option: `mac_partition_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:511 msgid "" "The man:mac_partition[4] policy drops processes into specific \"partitions\" " "based on their MAC label. Most configuration for this policy is done using " "man:setpmac[8]. One `sysctl` tunable is available for this policy:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:513 msgid "" "`security.mac.partition.enabled` enables the enforcement of MAC process " "partitions." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:516 msgid "" "When this policy is enabled, users will only be permitted to see their " "processes, and any others within their partition, but will not be permitted " "to work with utilities outside the scope of this partition. For instance, a " "user in the `insecure` class will not be permitted to access `top` as well " "as many other commands that must spawn a process." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:519 msgid "" "This example adds `top` to the label set on users in the `insecure` class. " "All processes spawned by users in the `insecure` class will stay in the " "`partition/13` label." msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:523 #, no-wrap msgid "# setpmac partition/13 top\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:526 msgid "This command displays the partition label and the process list:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:530 #, no-wrap msgid "# ps Zax\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:533 msgid "" "This command displays another user's process partition label and that user's " "currently running processes:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:537 #, no-wrap msgid "# ps -ZU trhodes\n" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:542 msgid "" "Users can see processes in ``root``'s label unless the " "man:mac_seeotheruids[4] policy is loaded." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:545 #, no-wrap msgid "The MAC Multi-Level Security Module" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:548 msgid "Module name: [.filename]#mac_mls.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:550 msgid "Kernel configuration line: `options MAC_MLS`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:552 msgid "Boot option: `mac_mls_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:554 msgid "" "The man:mac_mls[4] policy controls access between subjects and objects in " "the system by enforcing a strict information flow policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:558 msgid "" "In MLS environments, a \"clearance\" level is set in the label of each " "subject or object, along with compartments. Since these clearance levels " "can reach numbers greater than several thousand, it would be a daunting task " "to thoroughly configure every subject or object. To ease this " "administrative overhead, three labels are included in this policy: `mls/" "low`, `mls/equal`, and `mls/high`, where:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:560 msgid "" "Anything labeled with `mls/low` will have a low clearance level and not be " "permitted to access information of a higher level. This label also prevents " "objects of a higher clearance level from writing or passing information to a " "lower level." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:561 msgid "" "`mls/equal` should be placed on objects which should be exempt from the " "policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:562 msgid "" "`mls/high` is the highest level of clearance possible. Objects assigned this " "label will hold dominance over all other objects in the system; however, " "they will not permit the leaking of information to objects of a lower class." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:564 msgid "MLS provides:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:566 msgid "" "A hierarchical security level with a set of non-hierarchical categories." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:567 msgid "" "Fixed rules of `no read up, no write down`. This means that a subject can " "have read access to objects on its own level or below, but not above. " "Similarly, a subject can have write access to objects on its own level or " "above, but not beneath." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:568 msgid "Secrecy, or the prevention of inappropriate disclosure of data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:569 msgid "" "A basis for the design of systems that concurrently handle data at multiple " "sensitivity levels without leaking information between secret and " "confidential." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:571 msgid "The following `sysctl` tunables are available:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:573 msgid "`security.mac.mls.enabled` is used to enable or disable the MLS policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:574 msgid "" "`security.mac.mls.ptys_equal` labels all man:pty[4] devices as `mls/equal` " "during creation." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:575 msgid "" "`security.mac.mls.revocation_enabled` revokes access to objects after their " "label changes to a label of a lower grade." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:576 msgid "" "`security.mac.mls.max_compartments` sets the maximum number of compartment " "levels allowed on a system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:578 msgid "" "To manipulate MLS labels, use man:setfmac[8]. To assign a label to an object:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:582 #, no-wrap msgid "# setfmac mls/5 test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:585 msgid "To get the MLS label for the file [.filename]#test#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:589 #, no-wrap msgid "# getfmac test\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:592 msgid "" "Another approach is to create a master policy file in [.filename]#/etc/# " "which specifies the MLS policy information and to feed that file to " "`setfmac`." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:596 msgid "" "When using the MLS policy module, an administrator plans to control the flow " "of sensitive information. The default `block read up block write down` sets " "everything to a low state. Everything is accessible and an administrator " "slowly augments the confidentiality of the information." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:601 msgid "" "Beyond the three basic label options, an administrator may group users and " "groups as required to block the information flow between them. It might be " "easier to look at the information in clearance levels using descriptive " "words, such as classifications of `Confidential`, `Secret`, and `Top " "Secret`. Some administrators instead create different groups based on " "project levels. Regardless of the classification method, a well thought out " "plan must exist before implementing a restrictive policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:603 msgid "" "Some example situations for the MLS policy module include an e-commerce web " "server, a file server holding critical company information, and financial " "institution environments." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:605 #, no-wrap msgid "The MAC Biba Module" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:608 msgid "Module name: [.filename]#mac_biba.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:610 msgid "Kernel configuration line: `options MAC_BIBA`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:612 msgid "Boot option: `mac_biba_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:616 msgid "" "The man:mac_biba[4] module loads the MAC Biba policy. This policy is " "similar to the MLS policy with the exception that the rules for information " "flow are slightly reversed. This is to prevent the downward flow of " "sensitive information whereas the MLS policy prevents the upward flow of " "sensitive information." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:620 msgid "" "In Biba environments, an \"integrity\" label is set on each subject or " "object. These labels are made up of hierarchical grades and non-" "hierarchical components. As a grade ascends, so does its integrity." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:622 msgid "Supported labels are `biba/low`, `biba/equal`, and `biba/high`, where:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:624 msgid "" "`biba/low` is considered the lowest integrity an object or subject may have. " "Setting this on objects or subjects blocks their write access to objects or " "subjects marked as `biba/high`, but will not prevent read access." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:625 msgid "" "`biba/equal` should only be placed on objects considered to be exempt from " "the policy." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:626 msgid "" "`biba/high` permits writing to objects set at a lower label, but does not " "permit reading that object. It is recommended that this label be placed on " "objects that affect the integrity of the entire system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:628 msgid "Biba provides:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:630 msgid "" "Hierarchical integrity levels with a set of non-hierarchical integrity " "categories." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:631 msgid "" "Fixed rules are `no write up, no read down`, the opposite of MLS. A subject " "can have write access to objects on its own level or below, but not above. " "Similarly, a subject can have read access to objects on its own level or " "above, but not below." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:632 msgid "Integrity by preventing inappropriate modification of data." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:633 msgid "Integrity levels instead of MLS sensitivity levels." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:635 msgid "The following tunables can be used to manipulate the Biba policy:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:637 msgid "" "`security.mac.biba.enabled` is used to enable or disable enforcement of the " "Biba policy on the target machine." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:638 msgid "" "`security.mac.biba.ptys_equal` is used to disable the Biba policy on " "man:pty[4] devices." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:639 msgid "" "`security.mac.biba.revocation_enabled` forces the revocation of access to " "objects if the label is changed to dominate the subject." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:641 msgid "" "To access the Biba policy setting on system objects, use `setfmac` and " "`getfmac`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:647 #, no-wrap msgid "" "# setfmac biba/low test\n" "# getfmac test\n" "test: biba/low\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:653 msgid "" "Integrity, which is different from sensitivity, is used to guarantee that " "information is not manipulated by untrusted parties. This includes " "information passed between subjects and objects. It ensures that users will " "only be able to modify or access information they have been given explicit " "access to. The man:mac_biba[4] security policy module permits an " "administrator to configure which files and programs a user may see and " "invoke while assuring that the programs and files are trusted by the system " "for that user." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:659 msgid "" "During the initial planning phase, an administrator must be prepared to " "partition users into grades, levels, and areas. The system will default to " "a high label once this policy module is enabled, and it is up to the " "administrator to configure the different grades and levels for users. " "Instead of using clearance levels, a good planning method could include " "topics. For instance, only allow developers modification access to the " "source code repository, source code compiler, and other development " "utilities. Other users would be grouped into other categories such as " "testers, designers, or end users and would only be permitted read access." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:664 msgid "" "A lower integrity subject is unable to write to a higher integrity subject " "and a higher integrity subject cannot list or read a lower integrity " "object. Setting a label at the lowest possible grade could make it " "inaccessible to subjects. Some prospective environments for this security " "policy module would include a constrained web server, a development and test " "machine, and a source code repository. A less useful implementation would " "be a personal workstation, a machine used as a router, or a network firewall." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:666 #, no-wrap msgid "The MAC Low-watermark Module" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:669 msgid "Module name: [.filename]#mac_lomac.ko#" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:671 msgid "Kernel configuration line: `options MAC_LOMAC`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:673 msgid "Boot option: `mac_lomac_load=\"YES\"`" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:675 msgid "" "Unlike the MAC Biba policy, the man:mac_lomac[4] policy permits access to " "lower integrity objects only after decreasing the integrity level to not " "disrupt any integrity rules." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:679 msgid "" "The Low-watermark integrity policy works almost identically to Biba, with " "the exception of using floating labels to support subject demotion via an " "auxiliary grade compartment. This secondary compartment takes the form " "`[auxgrade]`. When assigning a policy with an auxiliary grade, use the " "syntax `lomac/10[2]`, where `2` is the auxiliary grade." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:682 msgid "" "This policy relies on the ubiquitous labeling of all system objects with " "integrity labels, permitting subjects to read from low integrity objects and " "then downgrading the label on the subject to prevent future writes to high " "integrity objects using `[auxgrade]`. The policy may provide greater " "compatibility and require less initial configuration than Biba." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:684 msgid "" "Like the Biba and MLS policies, `setfmac` and `setpmac` are used to place " "labels on system objects:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:689 #, no-wrap msgid "" "# setfmac /usr/home/trhodes lomac/high[low]\n" "# getfmac /usr/home/trhodes lomac/high[low]\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:692 msgid "" "The auxiliary grade `low` is a feature provided only by the MACLOMAC policy." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:694 #, no-wrap msgid "User Lock Down" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:698 msgid "" "This example considers a relatively small storage system with fewer than " "fifty users. Users will have login capabilities and are permitted to store " "data and access resources." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:700 msgid "" "For this scenario, the man:mac_bsdextended[4] and man:mac_seeotheruids[4] " "policy modules could co-exist and block access to system objects while " "hiding user processes." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:702 msgid "Begin by adding the following line to [.filename]#/boot/loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:706 #, no-wrap msgid "mac_seeotheruids_load=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:709 msgid "" "The man:mac_bsdextended[4] security policy module may be activated by adding " "this line to [.filename]#/etc/rc.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:713 #, no-wrap msgid "ugidfw_enable=\"YES\"\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:718 msgid "" "Default rules stored in [.filename]#/etc/rc.bsdextended# will be loaded at " "system initialization. However, the default entries may need modification. " "Since this machine is expected only to service users, everything may be left " "commented out except the last two lines in order to force the loading of " "user owned system objects by default." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:723 msgid "" "Add the required users to this machine and reboot. For testing purposes, " "try logging in as a different user across two consoles. Run `ps aux` to see " "if processes of other users are visible. Verify that running man:ls[1] on " "another user's home directory fails." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:725 msgid "" "Do not try to test with the `root` user unless the specific ``sysctl``s have " "been modified to block super user access." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:730 msgid "" "When a new user is added, their man:mac_bsdextended[4] rule will not be in " "the ruleset list. To update the ruleset quickly, unload the security policy " "module and reload it again using man:kldunload[8] and man:kldload[8]." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:733 #, no-wrap msgid "Nagios in a MAC Jail" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:737 msgid "" "This section demonstrates the steps that are needed to implement the Nagios " "network monitoring system in a MAC environment. This is meant as an example " "which still requires the administrator to test that the implemented policy " "meets the security requirements of the network before using in a production " "environment." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:740 msgid "" "This example requires `multilabel` to be set on each file system. It also " "assumes that package:net-mgmt/nagios-plugins[], package:net-mgmt/nagios[], " "and package:www/apache22[] are all installed, configured, and working " "correctly before attempting the integration into the MAC framework." msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:741 #, no-wrap msgid "Create an Insecure User Class" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:744 msgid "" "Begin the procedure by adding the following user class to [.filename]#/etc/" "login.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:769 #, no-wrap msgid "" "insecure:\\\n" ":welcome=/etc/motd:\\\n" ":setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\\\n" ":path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\n" ":manpath=/usr/share/man /usr/local/man:\\\n" ":nologin=/usr/sbin/nologin:\\\n" ":cputime=1h30m:\\\n" ":datasize=8M:\\\n" ":vmemoryuse=100M:\\\n" ":stacksize=2M:\\\n" ":memorylocked=4M:\\\n" ":memoryuse=8M:\\\n" ":filesize=8M:\\\n" ":coredumpsize=8M:\\\n" ":openfiles=24:\\\n" ":maxproc=32:\\\n" ":priority=0:\\\n" ":requirehome:\\\n" ":passwordtime=91d:\\\n" ":umask=022:\\\n" ":ignoretime@:\\\n" ":label=biba/10(10-10):\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:772 msgid "Then, add the following line to the default user class section:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:776 #, no-wrap msgid ":label=biba/high:\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:779 msgid "Save the edits and issue the following command to rebuild the database:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:783 #, no-wrap msgid "# cap_mkdb /etc/login.conf\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:785 #, no-wrap msgid "Configure Users" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:788 msgid "Set the `root` user to the default class using:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:792 #, no-wrap msgid "# pw usermod root -L default\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:797 msgid "" "All user accounts that are not `root` will now require a login class. The " "login class is required, otherwise users will be refused access to common " "commands. The following `sh` script should do the trick:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:802 #, no-wrap msgid "" "# for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' \\\n" "\t/etc/passwd`; do pw usermod $x -L default; done;\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:805 msgid "Next, drop the `nagios` and `www` accounts into the insecure class:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:810 #, no-wrap msgid "" "# pw usermod nagios -L insecure\n" "# pw usermod www -L insecure\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:812 #, no-wrap msgid "Create the Contexts File" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:815 msgid "" "A contexts file should now be created as [.filename]#/etc/policy.contexts#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:819 #, no-wrap msgid "# This is the default BIBA policy for this system.\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:822 #, no-wrap msgid "" "# System:\n" "/var/run(/.*)?\t\t\tbiba/equal\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:824 #, no-wrap msgid "/dev/(/.*)?\t\t\tbiba/equal\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:827 #, no-wrap msgid "" "/var\t\t\t\tbiba/equal\n" "/var/spool(/.*)?\t\tbiba/equal\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:829 #, no-wrap msgid "/var/log(/.*)?\t\t\tbiba/equal\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:832 #, no-wrap msgid "" "/tmp(/.*)?\t\t\tbiba/equal\n" "/var/tmp(/.*)?\t\t\tbiba/equal\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:835 #, no-wrap msgid "" "/var/spool/mqueue\t\tbiba/equal\n" "/var/spool/clientmqueue\t\tbiba/equal\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:838 #, no-wrap msgid "" "# For Nagios:\n" "/usr/local/etc/nagios(/.*)?\tbiba/10\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:840 #, no-wrap msgid "/var/spool/nagios(/.*)?\t\tbiba/10\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:843 #, no-wrap msgid "" "# For apache\n" "/usr/local/etc/apache(/.*)?\tbiba/10\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:848 msgid "" "This policy enforces security by setting restrictions on the flow of " "information. In this specific configuration, users, including `root`, " "should never be allowed to access Nagios. Configuration files and processes " "that are a part of Nagios will be completely self contained or jailed." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:851 msgid "" "This file will be read after running `setfsmac` on every file system. This " "example sets the policy on the root file system:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:855 #, no-wrap msgid "# setfsmac -ef /etc/policy.contexts /\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:858 msgid "" "Next, add these edits to the main section of [.filename]#/etc/mac.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:865 #, no-wrap msgid "" "default_labels file ?biba\n" "default_labels ifnet ?biba\n" "default_labels process ?biba\n" "default_labels socket ?biba\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:867 #, no-wrap msgid "Loader Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:870 msgid "" "To finish the configuration, add the following lines to [.filename]#/boot/" "loader.conf#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:876 #, no-wrap msgid "" "mac_biba_load=\"YES\"\n" "mac_seeotheruids_load=\"YES\"\n" "security.mac.biba.trust_all_interfaces=1\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:880 msgid "" "And the following line to the network card configuration stored in " "[.filename]#/etc/rc.conf#. If the primary network configuration is done via " "DHCP, this may need to be configured manually after every system boot:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:884 #, no-wrap msgid "maclabel biba/equal\n" msgstr "" #. type: Title === #: documentation/content/en/books/handbook/mac/_index.adoc:886 #, no-wrap msgid "Testing the Configuration" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:892 msgid "" "First, ensure that the web server and Nagios will not be started on system " "initialization and reboot. Ensure that `root` cannot access any of the " "files in the Nagios configuration directory. If `root` can list the " "contents of [.filename]#/var/spool/nagios#, something is wrong. Instead, a " "\"permission denied\" error should be returned." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:894 msgid "If all seems well, Nagios, Apache, and Sendmail can now be started:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:900 #, no-wrap msgid "" "# cd /etc/mail && make stop && \\\n" "setpmac biba/equal make start && setpmac biba/10\\(10-10\\) apachectl start && \\\n" "setpmac biba/10\\(10-10\\) /usr/local/etc/rc.d/nagios.sh forcestart\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:905 msgid "" "Double check to ensure that everything is working properly. If not, check " "the log files for error messages. If needed, use man:sysctl[8] to disable " "the man:mac_biba[4] security policy module and try starting everything again " "as usual." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:910 msgid "" "The `root` user can still change the security enforcement and edit its " "configuration files. The following command will permit the degradation of " "the security policy to a lower grade for a newly spawned shell:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/books/handbook/mac/_index.adoc:914 #, no-wrap msgid "# setpmac biba/10 csh\n" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:919 msgid "" "To block this from happening, force the user into a range using " "man:login.conf[5]. If man:setpmac[8] attempts to run a command outside of " "the compartment's range, an error will be returned and the command will not " "be executed. In this case, set root to `biba/high(high-high)`." msgstr "" #. type: Title == #: documentation/content/en/books/handbook/mac/_index.adoc:922 #, no-wrap msgid "Troubleshooting the MAC Framework" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:925 msgid "" "This section discusses common configuration errors and how to resolve them." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/mac/_index.adoc:926 #, no-wrap msgid "The `multilabel` flag does not stay enabled on the root ([.filename]#/#) partition" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:928 msgid "The following steps may resolve this transient error:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:932 msgid "" "Edit [.filename]#/etc/fstab# and set the root partition to `ro` for read-" "only." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:933 msgid "Reboot into single user mode." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:934 msgid "Run `tunefs -l enable` on [.filename]#/#." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:935 msgid "Reboot the system." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:936 msgid "" "Run `mount -urw`[.filename]#/# and change the `ro` back to `rw` in " "[.filename]#/etc/fstab# and reboot the system again." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:937 msgid "" "Double-check the output from `mount` to ensure that `multilabel` has been " "properly set on the root file system." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/mac/_index.adoc:939 #, no-wrap msgid "After establishing a secure environment with MAC, Xorg no longer starts" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:942 msgid "" "This could be caused by the MAC `partition` policy or by a mislabeling in " "one of the MAC labeling policies. To debug, try the following:" msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:946 msgid "" "Check the error message. If the user is in the `insecure` class, the " "`partition` policy may be the culprit. Try setting the user's class back to " "the `default` class and rebuild the database with `cap_mkdb`. If this does " "not alleviate the problem, go to step two." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:947 msgid "" "Double-check that the label policies are set correctly for the user, Xorg, " "and the [.filename]#/dev# entries." msgstr "" #. type: Plain text #: documentation/content/en/books/handbook/mac/_index.adoc:948 msgid "" "If neither of these resolve the problem, send the error message and a " "description of the environment to the {freebsd-questions}." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/mac/_index.adoc:950 #, no-wrap msgid "The `_secure_path: unable to stat .login_conf` error appears" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:955 msgid "" "This error can appear when a user attempts to switch from the `root` user to " "another user in the system. This message usually occurs when the user has a " "higher label setting than that of the user they are attempting to become. " "For instance, if `joe` has a default label of `biba/low` and `root` has a " "label of `biba/high`, `root` cannot view ``joe``'s home directory. This " "will happen whether or not `root` has used `su` to become `joe` as the Biba " "integrity model will not permit `root` to view objects set at a lower " "integrity level." msgstr "" #. type: Labeled list #: documentation/content/en/books/handbook/mac/_index.adoc:956 #, no-wrap msgid "The system no longer recognizes `root`" msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:958 msgid "When this occurs, `whoami` returns `0` and `su` returns `who are you?`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:962 msgid "" "This can happen if a labeling policy has been disabled by man:sysctl[8] or " "the policy module was unloaded. If the policy is disabled, the login " "capabilities database needs to be reconfigured. Double check [.filename]#/" "etc/login.conf# to ensure that all `label` options have been removed and " "rebuild the database with `cap_mkdb`." msgstr "" #. type: delimited block = 4 #: documentation/content/en/books/handbook/mac/_index.adoc:966 msgid "" "This may also happen if a policy restricts access to " "[.filename]#master.passwd#. This is usually caused by an administrator " "altering the file under a label which conflicts with the general policy " "being used by the system. In these cases, the user information would be " "read by the system and access would be blocked as the file has inherited the " "new label. Disable the policy using man:sysctl[8] and everything should " "return to normal." msgstr ""