mac-lomac.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>The MAC LOMAC Module</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="The MAC Biba Module" href="mac-biba.html" />
<link rel="NEXT" title="Implementing a Secure Environment with MAC"
href="mac-implementing.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-biba.html"
accesskey="P">后退</a></td>
<td width="80%" align="center" valign="bottom">章 15. Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-implementing.html"
accesskey="N">前进</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-LOMAC" name="MAC-LOMAC">15.13. The MAC LOMAC Module</a></h1>

<p>Module name: <tt class="FILENAME">mac_lomac.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">options MAC_LOMAC</var></p>

<p>Boot option: <var class="LITERAL">mac_lomac_load="YES"</var></p>

<p>Unlike the <acronym class="ACRONYM">MAC</acronym> Biba policy, the <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_lomac</span>(4)</span> policy
permits access to lower integrity objects only after decreasing the integrity level to
not disrupt any integrity rules.</p>

<p>The <acronym class="ACRONYM">MAC</acronym> version of the Low-watermark integrity
policy, not to be confused with the older <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">lomac</span>(4)</span> implementation, works almost identically to
Biba but with the exception of using floating labels to support subject demotion via an
auxiliary grade compartment. This secondary compartment takes the form of <var
class="LITERAL">[auxgrade]</var>. When assigning a lomac policy with an auxiliary grade,
it should look a little bit like: <var class="LITERAL">lomac/10[2]</var> where the number
two (2) is the auxiliary grade.</p>

<p>The <acronym class="ACRONYM">MAC</acronym> LOMAC policy relies on the ubiquitous
labeling of all system objects with integrity labels, permitting subjects to read from
low integrity objects and then downgrading the label on the subject to prevent future
writes to high integrity objects. This is the <var class="LITERAL">[auxgrade]</var>
option discussed above, thus the policy may provide for greater compatibility and require
less initial configuration than Biba.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22476" name="AEN22476">15.13.1. Examples</a></h2>

<p>Like the Biba and <acronym class="ACRONYM">MLS</acronym> policies; the <tt
class="COMMAND">setfmac</tt> and <tt class="COMMAND">setpmac</tt> utilities may be used
to place labels on system objects:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">setfmac /usr/home/trhodes lomac/high[low]</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">getfmac /usr/home/trhodes</kbd> lomac/high[low]
</pre>

<p>Notice the auxiliary grade here is <var class="LITERAL">low</var>, this is a feature
provided only by the <acronym class="ACRONYM">MAC</acronym> LOMAC policy.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-biba.html"
accesskey="P">后退</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">起点</a></td>
<td width="33%" align="right" valign="top"><a href="mac-implementing.html"
accesskey="N">前进</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">The MAC Biba Module</td>
<td width="34%" align="center" valign="top"><a href="mac.html"
accesskey="U">上一级</a></td>
<td width="33%" align="right" valign="top">Implementing a Secure Environment with
MAC</td>
</tr>
</table>
</div>
</body>
</html>