diff options
| author | chris <chris@FreeBSD.org> | 2003-02-17 20:11:09 +0000 |
|---|---|---|
| committer | chris <chris@FreeBSD.org> | 2003-02-17 20:11:09 +0000 |
| commit | dc964efac4183176c7acdacdf11a046259cb7feb (patch) | |
| tree | 482f72af9a97f8b832165adf3e8543f16f589a13 /share | |
| parent | efec3265b64aee35aea46939dbe376da2016375f (diff) | |
| download | FreeBSD-src-dc964efac4183176c7acdacdf11a046259cb7feb.zip FreeBSD-src-dc964efac4183176c7acdacdf11a046259cb7feb.tar.gz | |
o Add a note explaining the meaning of mls/equal beyond "equal to all
labels"
o Remove the ++ compartment range notation example as this has not yet
been merged into CVS.
o Include a "Runtime Configuration" section listing all of the relevant
sysctl knobs for this policy.
Sponsored by: DARPA, Network Associates Laboratories
Obtained from: TrustedBSD Project
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man4/mac_mls.4 | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/share/man/man4/mac_mls.4 b/share/man/man4/mac_mls.4 index f7a13ea..0292c54 100644 --- a/share/man/man4/mac_mls.4 +++ b/share/man/man4/mac_mls.4 @@ -92,6 +92,11 @@ Three special label values exist: .It Li mls/high Ta dominates all other labels .El .Pp +The +.Dq mls/equal +label may be applied to subjects and objects for which no enforcement of the +MLS security policy is desired. +.Pp The MLS model enforces the following basic restrictions: .Bl -bullet .It @@ -132,7 +137,7 @@ In general, object labels are represented in the following form: For example: .Pp .Bd -literal -offset indent -mls/10:2+3+6++10 +mls/10:2+3+6 mls/low .Ed .Pp @@ -149,7 +154,7 @@ In general, subject labels are represented in the following form: .Pp For example: .Bd -literal -offset indent -mls/10:2+3+6(5-20:2+3+4+5+6) +mls/10:2+3+6(5:2+3-20:2+3+4+5+6) mls/high(low-high) .Ed .Pp @@ -163,6 +168,29 @@ In the case of the network interface, the single label element references the default label for packets received over the interface, and the range represents the range of acceptable labels of packets to be transmitted over the interface. +.Ss Runtime Configuration +The following +.Xr sysctl 8 +MIBs are available for fine-tuning the enforcement of this MAC policy. +.Bl -tag -width security.mac.mls.enabled +.It Va security.mac.mls.enabled +Enables the enforcement of the MLS confidentiality policy +(Default: 1) +.It Va security.mac.mls.ptys_equal +Label +.Sm off +.Xr pty 4 +s +.Sm on +as +.Dq mls/equal +upon creation +(Default: 0) +.It Va security.mac.mls.revocation_enabled +Revoke access to objects if the label is changed to a more sensitive +level than the subject +(Default: 0) +.El .Sh IMPLEMENTATION NOTES Currently, the .Nm |
