||FreeBSD Kernel Interfaces Manual
Mandatory Access Control
The Mandatory Access Control, or MAC, framework allows administrators to finely
control system security by providing for a loadable security policy
architecture. It is important to note that due to its nature, MAC security
policies may only restrict access relative to one another and the base system
policy; they cannot override traditional UNIX security
provisions such as file permissions and superuser checks.
Currently, the following MAC policy modules are shipped with
Each system subject (processes, sockets, etc.) and each system object (file
system objects, sockets, etc.) can carry with it a MAC label. MAC labels
contain data in an arbitrary format taken into consideration in making access
control decisions for a given operation. Most MAC labels on system subjects
and objects can be modified directly or indirectly by the system
administrator. The format for a given policy's label may vary depending on the
type of object or subject being labeled. More information on the format for
MAC labels can be found in the
By default, file system enforcement of labeled MAC policies relies on a single
file system label (see MAC Labels) in
order to make access control decisions for all the files in a particular file
system. With some policies, this configuration may not allow administrators to
take full advantage of features. In order to enable support for labeling files
on an individual basis for a particular file system, the
“multilabel” flag must be enabled on the file system. To set the
“multilabel” flag, drop to single-user mode and unmount the file
system, then execute the following command:
tunefs -l enable
where filesystem is either the mount point
or the special file (in /dev) corresponding to the
file system on which to enable multilabel support.
Policy enforcement is divided into the following areas of the system:
From the command line, each type of system object has its own means for setting
and modifying its MAC policy label.
- File System
- File system mounts, modifying directories, modifying files, etc.
- Loading, unloading, and retrieving statistics on loaded kernel
- Network interfaces,
packet delivery and transmission, interface configuration
- Creation of and operation on
- Debugging (e.g.
- Creation of and operation on
- Kernel environment
utilities can be used to run a command with a different process label than
the shell's current label.
MAC security enforcement itself is transparent to application programs, with the
exception that some programs may need to be aware of additional
returns from various system calls.
The interface for retrieving, handling, and setting policy labels
is documented in the
Control, The FreeBSD Handbook,
mac implementation first appeared in
FreeBSD 5.0 and was developed by the TrustedBSD
This software was contributed to the FreeBSD Project by
Network Associates Labs, the Security Research Division of Network Associates
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as
part of the DARPA CHATS research program.
While the MAC Framework design is intended to support the containment of the
root user, not all attack channels are currently protected by entry point
checks. As such, MAC Framework policies should not be relied on, in isolation,
to protect against a malicious privileged user.
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.