MAC.CONF(5)

HOME || NAME DESCRIPTION EXAMPLES FILES SEE ALSO HISTORY BUGS 
NAME
     mac.conf -- format of the MAC library configuration file

DESCRIPTION
     The mac.conf file configures the default label elements to be used by
     policy-agnostic applications that operate on MAC labels.  A file contains
     a series of default label sets specified by object class, in addition to
     blank lines and comments preceded by a `#' symbol.

     Each declaration consists of a single line with two fields separated by
     white space: the object class name, and a list of label elements as used
     by the mac_prepare(3) library calls prior to an application invocation of
     a function from mac_get(3).  Label element names may optionally begin
     with a `?' symbol to indicate that a failure to retrieve the label ele-
     ment for an object should be silently ignored, and improves usability if
     the set of MAC policies may change over time.

EXAMPLES
     The following example configures user applications to operate with four
     MAC policies: mac_biba(4), mac_mls(4), SEBSD, and mac_partition(4).

	   #
	   # Default label set to be used by simple MAC applications
	   #

	   default_file_labels ?biba,?mls,?sebsd
	   default_ifnet_labels ?biba,?mls,?sebsd
	   default_process_labels ?biba,?mls,partition,?sebsd

     In this example, userland applications will attempt to retrieve Biba,
     MLS, and SEBSD labels for all object classes; for processes, they will
     additionally attempt to retrieve a Partition identifier.  In all cases
     except the Partition identifier, failure to retrieve a label due to the
     respective policy not being present will be ignored.

FILES
     /etc/mac.conf  MAC library configuration file.

SEE ALSO
     mac(3), mac_get(3), mac_prepare(3), mac(4), mac(9)

HISTORY
     Support for Mandatory Access Control was introduced in FreeBSD 5.0 as
     part of the TrustedBSD Project.

BUGS
     The TrustedBSD MAC Framework and associated policies, interfaces, and
     applications are considered to be an experimental feature in FreeBSD.
     Sites considering production deployment should keep the experimental sta-
     tus of these services in mind during any deployment process.  See also
     mac(9) for related considerations regarding the kernel framework.