diff options
| author | trhodes <trhodes@FreeBSD.org> | 2004-08-21 20:26:03 +0000 |
|---|---|---|
| committer | trhodes <trhodes@FreeBSD.org> | 2004-08-21 20:26:03 +0000 |
| commit | 10880df265b22224d272fe2e5d17e82afe742abd (patch) | |
| tree | 76f4b6490e36077596ce57ee0d181ec249decf73 /share/man/man4/mac_bsdextended.4 | |
| parent | a4418fa3a86ce3a430d06abbf5045e47d702bc11 (diff) | |
| download | FreeBSD-src-10880df265b22224d272fe2e5d17e82afe742abd.zip FreeBSD-src-10880df265b22224d272fe2e5d17e82afe742abd.tar.gz | |
Document recently added features and bump the doc date.
Diffstat (limited to 'share/man/man4/mac_bsdextended.4')
| -rw-r--r-- | share/man/man4/mac_bsdextended.4 | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/share/man/man4/mac_bsdextended.4 b/share/man/man4/mac_bsdextended.4 index 8b087a2..aa4d35b 100644 --- a/share/man/man4/mac_bsdextended.4 +++ b/share/man/man4/mac_bsdextended.4 @@ -30,7 +30,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 16, 2002 +.Dd August 21, 2004 .Os .Dt MAC_BSDEXTENDED 4 .Sh NAME @@ -79,8 +79,44 @@ list of rules until a rule which denies the particular access is found, or the end of the list is reached. +The +.Nm +policy works similar to +.Xr ipfw 8 +or by using a +.Em first match semantic . +This means that not all rules are applied, +only the first matched rule; thus if +Rule A allows access and Rule B blocks +access, Rule B will never be applied. +.Pp +.Ss Sysctls +The following sysctls may be used to tweak the behavior of +.Nm : +.Bl -tag -width indent +.It Va security.mac.bsdextended.enabled +Set to zero or one to toggle the policy on or off. +.It Va security.mac.bsdextended.rule_count +List the number of defined rules, the maximum rule count is +current set at 256. +.It Va security.mac.bsdextended.rule_slots +List the number of rule slots currently being used. +.It Va security.mac.bsdextended.debugging +Toggle between debugging mode, currently this does +nothing and will soon be removed. +.It Va security.mac.bsdextended.firstmatch_enabled +Toggle between the old all rules match functionality +and the new first rule matches functionality. +.It Va security.mac.bsdextended.logging +Log all access violations via the +.Dv AUTHPRIV +.Xr syslog 3 +facility. +.It Va security.mac.bsdextended.rules +Currently does nothing interesting. .Sh SEE ALSO .Xr libugidfw 3 , +.Xr syslog 3 , .Xr mac 4 , .Xr mac_biba 4 , .Xr mac_ifoff 4 , @@ -91,6 +127,7 @@ or the end of the list is reached. .Xr mac_portacl 4 , .Xr mac_seeotheruids 4 , .Xr mac_test 4 , +.Xr ipfw 8 , .Xr ugidfw 8 , .Xr mac 9 .Sh HISTORY @@ -101,6 +138,9 @@ policy module first appeared in and was developed by the .Tn TrustedBSD Project. +.Pp +The "match first case" and logging capabilities were later added by +.An Tom Rhodes Aq trhodes@FreeBSD.org . .Sh AUTHORS This software was contributed to the .Fx |
