aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/mac
diff options
context:
space:
mode:
authorTom Rhodes <trhodes@FreeBSD.org>2013-11-17 05:21:11 +0000
committerTom Rhodes <trhodes@FreeBSD.org>2013-11-17 05:21:11 +0000
commit5b57f090b46fc4f7eccbf00101b26f0cd391f2a6 (patch)
tree87f925c9aaebf68f43871e490b14fb93d7f89869 /en_US.ISO8859-1/books/handbook/mac
parent9a0e52f638780f5aa2c7245b72716f4538fa6d6d (diff)
downloaddoc-5b57f090b46fc4f7eccbf00101b26f0cd391f2a6.tar.gz
doc-5b57f090b46fc4f7eccbf00101b26f0cd391f2a6.zip
Collapse the various policy discussions into a
single section. Discussed with: dru
Notes
Notes: svn path=/head/; revision=43200
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
-rw-r--r--en_US.ISO8859-1/books/handbook/mac/chapter.xml62
1 files changed, 35 insertions, 27 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
index 52289f3590..2b1446038c 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@@ -763,7 +763,14 @@ test: biba/high</screen>
option is called <option>multilabel</option>.</para>
</sect1>
- <sect1 xml:id="mac-seeotheruids">
+ <sect1 xml:id="mac-policies">
+ <title>Available MAC Policies</title>
+
+ <para>&os; includes a group of policies that will cover
+ most security requirements. Each policy is discussed
+ below.</para>
+
+ <sect2 xml:id="mac-seeotheruids">
<title>The MAC See Other UIDs Policy</title>
<indexterm>
@@ -816,9 +823,9 @@ test: biba/high</screen>
may not be set.</para>
</listitem>
</itemizedlist>
- </sect1>
+ </sect2>
- <sect1 xml:id="mac-bsdextended">
+ <sect2 xml:id="mac-bsdextended">
<title>The MAC BSD Extended Policy</title>
<indexterm>
@@ -855,7 +862,7 @@ test: biba/high</screen>
module as incorrect use could block access to certain parts of
the file system.</para>
- <sect2>
+ <sect3>
<title>Examples</title>
<para>After the &man.mac.bsdextended.4; module has been loaded,
@@ -895,10 +902,10 @@ test: biba/high</screen>
<para>For more information, refer to &man.mac.bsdextended.4; and
&man.ugidfw.8;</para>
- </sect2>
- </sect1>
+ </sect3>
+ </sect2>
- <sect1 xml:id="mac-ifoff">
+ <sect2 xml:id="mac-ifoff">
<title>The MAC Interface Silencing Policy</title>
<indexterm>
@@ -947,9 +954,9 @@ test: biba/high</screen>
<package>security/aide</package> to
automatically block network traffic if it finds new or altered
files in protected directories.</para>
- </sect1>
+ </sect2>
- <sect1 xml:id="mac-portacl">
+ <sect2 xml:id="mac-portacl">
<title>The MAC Port Access Control List Policy</title>
<indexterm>
@@ -1035,7 +1042,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
<para>See the examples below or refer to &man.mac.portacl.4; for
further information.</para>
- <sect2>
+ <sect3>
<title>Examples</title>
<para>Since the <systemitem class="username">root</systemitem> user should not be
@@ -1060,10 +1067,10 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
<screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen>
- </sect2>
- </sect1>
+ </sect3>
+ </sect2>
- <sect1 xml:id="mac-partition">
+ <sect2 xml:id="mac-partition">
<title>The MAC Partition Policy</title>
<indexterm>
@@ -1113,7 +1120,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
spawned by users in the <literal>insecure</literal> class will
stay in the <literal>partition/13</literal> label.</para>
- <sect2>
+ <sect3>
<title>Examples</title>
<para>The following command will display the partition label
@@ -1143,10 +1150,10 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
options, including their limitations, are further explained
in the module manual pages.</para>
</note>
- </sect2>
- </sect1>
+ </sect3>
+ </sect2>
- <sect1 xml:id="mac-mls">
+ <sect2 xml:id="mac-mls">
<title>The MAC Multi-Level Security Module</title>
<indexterm>
@@ -1277,7 +1284,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
to <command>setfmac</command>. This method will be explained
after all policies are covered.</para>
- <sect2>
+ <sect3>
<title>Planning Mandatory Sensitivity</title>
<para>When using the MLS policy module, an administrator plans
@@ -1302,10 +1309,10 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
include an e-commerce web server, a file server holding
critical company information, and financial institution
environments.</para>
- </sect2>
- </sect1>
+ </sect3>
+ </sect2>
- <sect1 xml:id="mac-biba">
+ <sect2 xml:id="mac-biba">
<title>The MAC Biba Module</title>
<indexterm>
@@ -1419,7 +1426,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
&prompt.root; <userinput>getfmac test</userinput>
test: biba/low</screen>
- <sect2>
+ <sect3>
<title>Planning Mandatory Integrity</title>
<para>Integrity, which is different from sensitivity, guarantees
@@ -1457,10 +1464,10 @@ test: biba/low</screen>
development and test machine, and a source code repository. A
less useful implementation would be a personal workstation, a
machine used as a router, or a network firewall.</para>
- </sect2>
- </sect1>
+ </sect3>
+ </sect2>
- <sect1 xml:id="mac-lomac">
+ <sect2 xml:id="mac-lomac">
<title>The MAC LOMAC Module</title>
<indexterm>
@@ -1495,7 +1502,7 @@ test: biba/low</screen>
policy may provide for greater compatibility and require less
initial configuration than Biba.</para>
- <sect2>
+ <sect3>
<title>Examples</title>
<para>Like the Biba and <acronym>MLS</acronym> policies,
@@ -1508,7 +1515,8 @@ test: biba/low</screen>
<para>The auxiliary grade <literal>low</literal> is a feature
provided only by the <acronym>MAC</acronym> LOMAC
policy.</para>
- </sect2>
+ </sect3>
+ </sect2>
</sect1>
<sect1 xml:id="mac-implementing">