mac-mls.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>The MAC Multi-Level Security Module</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="The MAC partition Module" href="mac-partition.html" />
<link rel="NEXT" title="The MAC Biba Module" href="mac-biba.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-partition.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-biba.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-MLS" name="MAC-MLS">15.11 The MAC Multi-Level Security
Module</a></h1>

<p>Module name: <tt class="FILENAME">mac_mls.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">options MAC_MLS</var></p>

<p>Boot option: <var class="LITERAL">mac_mls_load="YES"</var></p>

<p>The <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_mls&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_mls</span>(4)</span></a> policy
controls access between subjects and objects in the system by enforcing a strict
information flow policy.</p>

<p>In <acronym class="ACRONYM">MLS</acronym> environments, a ``clearance'' level is set
in each subject or objects label, along with compartments. Since these clearance or
sensibility levels can reach numbers greater than six thousand; it would be a daunting
task for any system administrator to thoroughly configure each subject or object.
Thankfully, three ``instant'' labels are already included in this policy.</p>

<p>These labels are <var class="LITERAL">mls/low</var>, <var
class="LITERAL">mls/equal</var> and <var class="LITERAL">mls/high</var>. Since these
labels are described in depth in the manual page, they will only get a brief description
here:</p>

<ul>
<li>
<p>The <var class="LITERAL">mls/low</var> label contains a low configuration which
permits it to be dominated by all other objects. Anything labeled with <var
class="LITERAL">mls/low</var> will have a low clearance level and not be permitted to
access information of a higher level. In addition, this label will prevent objects of a
higher clearance level from writing or passing information on to them.</p>
</li>

<li>
<p>The <var class="LITERAL">mls/equal</var> label should be placed on objects considered
to be exempt from the policy.</p>
</li>

<li>
<p>The <var class="LITERAL">mls/high</var> label is the highest level of clearance
possible. Objects assigned this label will hold dominance over all other objects in the
system; however, they will not permit the leaking of information to objects of a lower
class.</p>
</li>
</ul>

<p><acronym class="ACRONYM">MLS</acronym> provides for:</p>

<ul>
<li>
<p>A hierarchical security level with a set of non hierarchical categories;</p>
</li>

<li>
<p>Fixed rules: no read up, no write down (a subject can have read access to objects on
its own level or below, but not above. Similarly, a subject can have write access to
objects on its own level or above but not beneath.);</p>
</li>

<li>
<p>Secrecy (preventing inappropriate disclosure of data);</p>
</li>

<li>
<p>Basis for the design of systems that concurrently handle data at multiple sensitivity
levels (without leaking information between secret and confidential).</p>
</li>
</ul>

<p>The following <tt class="COMMAND">sysctl</tt> tunables are available for the
configuration of special services and interfaces:</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.mls.enabled</var> is used to enable/disable the
<acronym class="ACRONYM">MLS</acronym> policy.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.mls.ptys_equal</var> will label all <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=pty&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">pty</span>(4)</span></a> devices as <var
class="LITERAL">mls/equal</var> during creation.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.mls.revocation_enabled</var> is used to revoke
access to objects after their label changes to a label of a lower grade.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.mls.max_compartments</var> is used to set the
maximum number of compartment levels with objects; basically the maximum compartment
number allowed on a system.</p>
</li>
</ul>

<p>To manipulate the <acronym class="ACRONYM">MLS</acronym> labels, the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=setfmac&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">setfmac</span>(8)</span></a> command has
been provided. To assign a label to an object, issue the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">setfmac mls/5 test</kbd>
</pre>

<p>To get the <acronym class="ACRONYM">MLS</acronym> label for the file <tt
class="FILENAME">test</tt> issue the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">getfmac test</kbd>
</pre>

<p>This is a summary of the <acronym class="ACRONYM">MLS</acronym> policy's features.
Another approach is to create a master policy file in <tt class="FILENAME">/etc</tt>
which specifies the <acronym class="ACRONYM">MLS</acronym> policy information and to feed
that file into the <tt class="COMMAND">setfmac</tt> command. This method will be
explained after all policies are covered.</p>

<p>Observations: an object with lower clearance is unable to observe higher clearance
processes. A basic policy would be to enforce <var class="LITERAL">mls/high</var> on
everything not to be read, even if it needs to be written. Enforce <var
class="LITERAL">mls/low</var> on everything not to be written, even if it needs to be
read. And finally enforce <var class="LITERAL">mls/equal</var> on the rest. All users
marked <var class="LITERAL">insecure</var> should be set at <var
class="LITERAL">mls/low</var>.</p>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-partition.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-biba.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">The MAC partition Module</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">The MAC Biba Module</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>