mac-understandlabel.html

FreeBSD操作系统的详细使用手册

class="LITERAL">biba/equal</var> on the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=bge&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">bge</span>(4)</span></a> interface. When
using a setting similar to <var class="LITERAL">biba/high(low-high)</var> the entire
label should be quoted; otherwise an error will be returned.</p>

<p>Each policy which supports labeling has some tunable which may be used to disable the
<acronym class="ACRONYM">MAC</acronym> label on network interfaces. Setting the label to
<var class="OPTION">equal</var> will have a similar effect. Review the output from <tt
class="COMMAND">sysctl</tt>, the policy manual pages, or even the information found later
in this chapter for those tunables.</p>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22168" name="AEN22168">15.4.2 Singlelabel or
Multilabel?</a></h2>

<p>By default the system will use the <var class="OPTION">singlelabel</var> option. But
what does this mean to the administrator? There are several differences which, in their
own right, offer pros and cons to the flexibility in the systems security model.</p>

<p>The <var class="OPTION">singlelabel</var> only permits for one label, for instance
<var class="LITERAL">biba/high</var> to be used for each subject or object. It provides
for lower administration overhead but decreases the flexibility of policies which support
labeling. Many administrators may want to use the <var class="OPTION">multilabel</var>
option in their security policy.</p>

<p>The <var class="OPTION">multilabel</var> option will permit each subject or object to
have its own independent <acronym class="ACRONYM">MAC</acronym> label in place of the
standard <var class="OPTION">singlelabel</var> option which will allow only one label
throughout the partition. The <var class="OPTION">multilabel</var> and <var
class="OPTION">single</var> label options are only required for the policies which
implement the labeling feature, including the Biba, Lomac, <acronym
class="ACRONYM">MLS</acronym> and <acronym class="ACRONYM">SEBSD</acronym> policies.</p>

<p>In many cases, the <var class="OPTION">multilabel</var> may not need to be set at all.
Consider the following situation and security model:</p>

<ul>
<li>
<p>FreeBSD web-server using the <acronym class="ACRONYM">MAC</acronym> framework and a
mix of the various policies.</p>
</li>

<li>
<p>This machine only requires one label, <var class="LITERAL">biba/high</var>, for
everything in the system. Here the file system would not require the <var
class="OPTION">multilabel</var> option as a single label will always be in effect.</p>
</li>

<li>
<p>But, this machine will be a web server and should have the web server run at <var
class="LITERAL">biba/low</var> to prevent write up capabilities. The Biba policy and how
it works will be discussed later, so if the previous comment was difficult to interpret
just continue reading and return. The server could use a separate partition set at <var
class="LITERAL">biba/low</var> for most if not all of its runtime state. Much is lacking
from this example, for instance the restrictions on data, configuration and user
settings; however, this is just a quick example to prove the aforementioned point.</p>
</li>
</ul>

<p>If any of the non-labeling policies are to be used, then the <var
class="OPTION">multilabel</var> option would never be required. These include the <var
class="LITERAL">seeotheruids</var>, <var class="LITERAL">portacl</var> and <var
class="LITERAL">partition</var> policies.</p>

<p>It should also be noted that using <var class="OPTION">multilabel</var> with a
partition and establishing a security model based on <var class="OPTION">multilabel</var>
functionality could open the doors for higher administrative overhead as everything in
the file system would have a label. This includes directories, files, and even device
nodes.</p>

<p>The following command will set <var class="OPTION">multilabel</var> on the file
systems to have multiple labels. This may only be done in single user mode:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">tunefs -l enable /</kbd>
</pre>

<p>This is not a requirement for the swap file system.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Some users have experienced problems with setting the <var
class="OPTION">multilabel</var> flag on the root partition. If this is the case, please
review the <a href="mac-troubleshoot.html">Section 15.16</a> of this chapter.</p>
</blockquote>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22216" name="AEN22216">15.4.3 Controlling MAC with
Tunables</a></h2>

<p>Without any modules loaded, there are still some parts of <acronym
class="ACRONYM">MAC</acronym> which may be configured using the <tt
class="COMMAND">sysctl</tt> interface. These tunables are described below and in all
cases the number one (1) means enabled while the number zero (0) means disabled:</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.enforce_fs</var> defaults to one (1) and enforces
<acronym class="ACRONYM">MAC</acronym> file system policies on the file systems.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_kld</var> defaults to one (1) and enforces
<acronym class="ACRONYM">MAC</acronym> kernel linking policies on the dynamic kernel
linker (see <a href="http://www.FreeBSD.org/cgi/man.cgi?query=kld&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">kld</span>(4)</span></a>).</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_network</var> defaults to one (1) and
enforces <acronym class="ACRONYM">MAC</acronym> network policies.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_pipe</var> defaults to one (1) and enforces
<acronym class="ACRONYM">MAC</acronym> policies on pipes.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_process</var> defaults to one (1) and
enforces <acronym class="ACRONYM">MAC</acronym> policies on processes which utilize
inter-process communication.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_socket</var> defaults to one (1) and
enforces <acronym class="ACRONYM">MAC</acronym> policies on sockets (see the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=socket&sektion=2"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">socket</span>(2)</span></a> manual
page).</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_system</var> defaults to one (1) and
enforces <acronym class="ACRONYM">MAC</acronym> policies on system activities such as
accounting and rebooting.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.enforce_vm</var> defaults to one (1) and enforces
<acronym class="ACRONYM">MAC</acronym> policies on the virtual memory system.</p>
</li>
</ul>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Every policy or <acronym class="ACRONYM">MAC</acronym> option supports
tunables. These usually hang off of the <var
class="LITERAL">security.mac.&lt;policyname&gt;</var> tree. To view all of the tunables
from <acronym class="ACRONYM">MAC</acronym> use the following command:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">sysctl -da | grep mac</kbd>
</pre>
</blockquote>
</div>

<p>This should be interpreted as all of the basic <acronym class="ACRONYM">MAC</acronym>
policies are enforced by default. If the modules were built into the kernel the system
would be extremely locked down and most likely unable to communicate with the local
network or connect to the Internet, etc. This is why building the modules into the kernel
is not completely recommended. Not because it limits the ability to disable features on
the fly with <tt class="COMMAND">sysctl</tt>, but it permits the administrator to
instantly switch the policies of a system without the requirement of rebuilding and
reinstalling a new system.</p>
</div>
</div>

<h3 class="FOOTNOTES">Notes</h3>

<table border="0" class="FOOTNOTES" width="100%">
<tr>
<td align="LEFT" valign="TOP" width="5%"><a id="FTN.AEN22114" name="FTN.AEN22114"
href="mac-understandlabel.html#AEN22114"><span class="footnote">[1]</span></a></td>
<td align="LEFT" valign="TOP" width="95%">
<p>Other conditions may produce different failures. For instance, the file may not be
owned by the user attempting to relabel the object, the object may not exist or may be
read only. A mandatory policy will not allow the process to relabel the file, maybe
because of a property of the file, a property of the process, or a property of the
proposed new label value. For example: a user running at low integrity tries to change
the label of a high integrity file. Or perhaps a user running at low integrity tries to
change the label of a low integrity file to a high integrity label.</p>
</td>
</tr>
</table>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-initial.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-modules.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Explanation of MAC</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Module Configuration</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>