Mandatory Access Control
The Mandatory Access Control, or MAC, framework allows administrators to finely
control system security by providing for a loadable security policy
architecture. It is important to note that due to its nature, MAC security
policies may only restrict access relative to one another and the base system
policy; they cannot override traditional UNIX
provisions such as file permissions and superuser checks.
Currently, the following MAC policy modules are shipped with
Each system subject (processes, sockets, etc.) and each system object (file
system objects, sockets, etc.) can carry with it a MAC label. MAC labels
contain data in an arbitrary format taken into consideration in making access
control decisions for a given operation. Most MAC labels on system subjects
and objects can be modified directly or indirectly by the system
administrator. The format for a given policy's label may vary depending on the
type of object or subject being labeled. More information on the format for
MAC labels can be found in the
By default, file system enforcement of labeled MAC policies relies on a single
file system label (see MAC
) in order to make access control decisions for all the files in a
particular file system. With some policies, this configuration may not allow
administrators to take full advantage of features. In order to enable support
for labeling files on an individual basis for a particular file system, the
“multilabel” flag must be enabled on the file system. To set the
“multilabel” flag, drop to single-user mode and unmount the file
system, then execute the following command:
tunefs -l enable
is either the mount point (in
or the special file (in /dev
to the file system on which to enable multilabel support.
Policy enforcement is divided into the following areas of the system:
- File System
- File system mounts, modifying directories, modifying files, etc.
- Loading, unloading, and retrieving statistics on loaded kernel
- Network interfaces,
packet delivery and transmission, interface configuration
- Creation of and operation on
- Debugging (e.g.
- Creation of and operation on
- Kernel environment
From the command line, each type of system object has its own means for setting
and modifying its MAC policy label.
utilities can be used to run a command with a different process label than the
shell's current label.
MAC security enforcement itself is transparent to application programs, with the
exception that some programs may need to be aware of additional
returns from various system calls.
The interface for retrieving, handling, and setting policy labels is documented
Mandatory Access Control,
The FreeBSD Handbook,
implementation first appeared in
and was developed by the TrustedBSD
This software was contributed to the FreeBSD
Network Associates Labs, the Security Research Division of Network Associates
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as
part of the DARPA CHATS research program.
While the MAC Framework design is intended to support the containment of the
root user, not all attack channels are currently protected by entry point
checks. As such, MAC Framework policies should not be relied on, in isolation,
to protect against a malicious privileged user.