The next few sections will discuss MAC policies which use labels.
From here on this chapter will focus on the features of mac_biba(4), mac_lomac(4), mac_partition(4), and mac_mls(4).
This is an example configuration only and should not be considered for a production implementation. The goal is to document and show the syntax as well as examples for implementation and testing.
For these policies to work correctly several preparations must be made.
The following changes are required in the
login.conf
file:
An insecure
class, or another
class of similar type, must be
added. The login class of insecure
is not required and just used as an example here; different
configurations may use another class name.
The insecure
class should have
the following settings and definitions. Several of these
can be altered but the line which defines the default
label is a requirement and must remain.
insecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\ :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=partition/13,mls/5,biba/low:
The cap_mkdb(1) command needs to be ran on login.conf(5) before any of the users can be switched over to the new class.
The root
username should also be placed
into a login class; otherwise, almost every command
executed by root
will require the
use of setpmac
.
Rebuilding the login.conf
database may cause some errors later with the daemon
class. Simply uncommenting the daemon account and
rebuilding the database should alleviate these
issues.
Ensure that all partitions on which
MAC labeling will be implemented support
the multilabel
. We must do this because
many of the examples here contain different labels for
testing purposes. Review the output from the
mount
command as a precautionary
measure.
Switch any users who will have the higher security mechanisms enforced over to the new user class. A quick run of pw(8) or vipw(8) should do the trick.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.