summaryrefslogtreecommitdiffstats
path: root/share
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2002-12-03 15:16:10 +0000
committerrwatson <rwatson@FreeBSD.org>2002-12-03 15:16:10 +0000
commit80d37f5b20040e5a41f839aad50519c5e0133ea6 (patch)
tree253cc5b6425c56b31be7bb1ead6ab59954d45457 /share
parentbb2d09c9b0716781d1d759be644cedff4eadb096 (diff)
downloadFreeBSD-src-80d37f5b20040e5a41f839aad50519c5e0133ea6.zip
FreeBSD-src-80d37f5b20040e5a41f839aad50519c5e0133ea6.tar.gz
Hook up a sample LOMAC labeling policy. Unlike the old LOMAC module,
the file system initial labeling policy exists in userland, and is fed into setfsmac(1). This is based on the old LOMAC PLM. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'share')
-rw-r--r--share/security/lomac-policy.contexts29
1 files changed, 29 insertions, 0 deletions
diff --git a/share/security/lomac-policy.contexts b/share/security/lomac-policy.contexts
new file mode 100644
index 0000000..e01bd28
--- /dev/null
+++ b/share/security/lomac-policy.contexts
@@ -0,0 +1,29 @@
+# $FreeBSD$
+#
+# This is a sample LOMAC policy based upon the PLM defined in the
+# original FreeBSD LOMAC port. It may be configured on a
+# system via setfsmac(8).
+
+.* lomac/high
+/sbin/dhclient lomac/high[low]
+/dev(/.*)? lomac/equal
+# This is not an exhaustive list of all "privileged" devices.
+/dev/mdctl lomac/high
+/dev/pci lomac/high
+/dev/k?mem lomac/high
+/dev/io lomac/high
+/dev/agp.* lomac/high
+(/var)?/tmp(/.*)? lomac/equal
+/tmp/\.X11-unix lomac/high[equal]
+/tmp/\.X11-unix/.* lomac/equal
+/proc(/.*)? lomac/equal
+/mnt.* lomac/low
+(/usr)?/home lomac/high[low]
+(/usr)?/home/.* lomac/low
+/var/mail(/.*)? lomac/low
+/var/spool/mqueue(/.*)? lomac/low
+(/mnt)?/cdrom(/.*)? lomac/high
+(/usr)?/home/(ftp|samba)(/.*)? lomac/high
+/var/log/sendmail\.st lomac/low
+/var/run/utmp lomac/equal
+/var/log/(lastlog|wtmp) lomac/equal
OpenPOWER on IntegriCloud