mac-modules.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Module Configuration</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="Understanding MAC Labels" href="mac-understandlabel.html" />
<link rel="NEXT" title="The MAC bsdextended Module" href="mac-bsdextended.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-understandlabel.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-bsdextended.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-MODULES" name="MAC-MODULES">15.5 Module
Configuration</a></h1>

<p>Every module included with the <acronym class="ACRONYM">MAC</acronym> framework may be
either compiled into the kernel as noted above or loaded as a run-time kernel module. The
recommended method is to add the module name to the <tt
class="FILENAME">/boot/loader.conf</tt> file so that it will load during the initial boot
operation.</p>

<p>The following sections will discuss the various <acronym class="ACRONYM">MAC</acronym>
modules and cover their features. Implementing them into a specific environment will also
be a consideration of this chapter. Some modules support the use of labeling, which is
controlling access by enforcing a label such as ``this is allowed and this is not''. A
label configuration file may control how files may be accessed, network communication can
be exchanged, and more. The previous section showed how the <var
class="OPTION">multilabel</var> flag could be set on file systems to enable per-file or
per-partition access control.</p>

<p>A single label configuration would enforce only one label across the system, that is
why the <tt class="COMMAND">tunefs</tt> option is called <var
class="OPTION">multilabel</var>.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="MAC-SEEOTHERUIDS" name="MAC-SEEOTHERUIDS">15.5.1 The MAC
seeotheruids Module</a></h2>

<p>Module name: <tt class="FILENAME">mac_seeotheruids.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">options MAC_SEEOTHERUIDS</var></p>

<p>Boot option: <var class="LITERAL">mac_seeotheruids_load="YES"</var></p>

<p>The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_seeotheruids&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_seeotheruids</span>(4)</span></a>
module mimics and extends the <var class="LITERAL">security.bsd.see_other_uids</var> and
<var class="LITERAL">security.bsd.see_other_gids</var> <tt class="COMMAND">sysctl</tt>
tunables. This option does not require any labels to be set before configuration and can
operate transparently with the other modules.</p>

<p>After loading the module, the following <tt class="COMMAND">sysctl</tt> tunables may
be used to control the features:</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.seeotheruids.enabled</var> will enable the module's
features and use the default settings. These default settings will deny users the ability
to view processes and sockets owned by other users.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.seeotheruids.specificgid_enabled</var> will allow a
certain group to be exempt from this policy. To exempt specific groups from this policy,
use the <var class="LITERAL">security.mac.seeotheruids.specificgid=<var
class="REPLACEABLE">XXX</var></var> <tt class="COMMAND">sysctl</tt> tunable. In the above
example, the <var class="REPLACEABLE">XXX</var> should be replaced with the numeric group
ID to be exempted.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.seeotheruids.primarygroup_enabled</var> is used to
exempt specific primary groups from this policy. When using this tunable, the <var
class="LITERAL">security.mac.seeotheruids.specificgid_enabled</var> may not be set.</p>
</li>
</ul>

<p>It should be noted that the <tt class="USERNAME">root</tt> user is not exempt from
this policy. This is one of the large differences between the <acronym
class="ACRONYM">MAC</acronym> version and the standard tunable version included by
default: <var class="LITERAL">security.bsd.seeotheruids</var>.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-understandlabel.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-bsdextended.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Understanding MAC Labels</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">The MAC bsdextended Module</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>