diff options
| -rw-r--r-- | en_US.ISO8859-1/books/handbook/mac/chapter.xml | 362 |
1 files changed, 158 insertions, 204 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml index a67e5f99f9..5f1cc751f9 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml @@ -244,58 +244,86 @@ <para>A <acronym>MAC</acronym> label is a security attribute which may be applied to subjects and objects throughout - the system.</para> - - <para>When setting a label, the administrator must be able to - comprehend what exactly is being done and understand any + the system. When setting a label, the administrator must + understand its implications in order to prevent unexpected or undesired behavior of the system. The attributes available on an object - depend on the loaded policy module as policy modules interpret + depend on the loaded policy module, as policy modules interpret their attributes in different ways.</para> <para>The security label on an object is used as a part of a security access control decision by a policy. With some policies, the label contains all of the information necessary to make a decision. In other policies, the labels may be - processed as part of a larger rule set. For instance, setting - the label of <literal>biba/low</literal> on a file will - represent a label maintained by the Biba security policy module, - with a value of <quote>low</quote>.</para> - - <para>A few policy modules which support the labeling feature - in &os; offer three specific predefined labels: low, high, and - equal. Such policy modules enforce access control in a - different manner with each policy module, where the low label is - the lowest setting, the equal label sets the subject or object - to be disabled or unaffected, and the high label enforces the - highest setting available in the Biba and <acronym>MLS</acronym> - policy modules.</para> - - <para>Within single label file system environments, only one - label may be used on objects. This label enforces one set of - access permissions across the entire system and in many - environments may be all that is required. There are a few - cases where multiple labels may be set on objects or subjects - in the file system by passing <option>multilabel</option> to - &man.tunefs.8;.</para> - - <para>In the case of Biba and <acronym>MLS</acronym>, a numeric - label may be set to indicate the precise level of hierarchical - control. This numeric level is used to partition or sort - information into different groups of classification only - permitting access to that group or a higher group level.</para> - - <para>In most cases, the administrator will set up a single label - to use throughout the file system. This is similar to - <acronym>DAC</acronym> to some extent as - <systemitem class="username">root</systemitem> is the one in control and who + processed as part of a larger rule set.</para> + + <para>There are two types of label policies: single label and multi label. + By default, the system will use + single label. The administrator should be aware of the + pros and cons of each in order to implement policies which meet the + requirements of the system's security model.</para> + + <para>A single label security policy + only permits one label + to be used for every subject or object. Since a single label policy enforces one set of + access permissions across the entire system, it provides lower + administration overhead, but decreases the flexibility of + policies which support labeling. However, in many + environments, a single label policy may be all that is required.</para> + + <para>A single label policy is somewhat similar to + <acronym>DAC</acronym> as + <systemitem class="username">root</systemitem> configures the policies so that users are placed in the - appropriate categories/access levels. Alas, many policy modules - can restrict the <systemitem class="username">root</systemitem> user as well. Basic + appropriate categories and access levels. A notable difference is that many policy modules + can also restrict <systemitem class="username">root</systemitem>. Basic control over objects will then be released to the group, but <systemitem class="username">root</systemitem> may revoke or modify the settings - at any time. This is the hierarchical/clearance model covered - by policies such as Biba and <acronym>MLS</acronym>.</para> + at any time.</para> + + <para>When appropriate, a multi label policy can + be set on + a <acronym>UFS</acronym> file system by passing <option>multilabel</option> to + &man.tunefs.8;. A multi label policy permits each subject or object + to have its own independent <acronym>MAC</acronym> label. + The decision to use a multi label or + single label policy is only required for policies + which implement the labeling feature, such as <literal>biba</literal>, + <literal>lomac</literal>, and <literal>mls</literal>. Some policies, + such as <literal>seeotheruids</literal>, + <literal>portacl</literal> and <literal>partition</literal>, + do not use labels at all.</para> + + <para>Using a multi label policy on a partition and + establishing a multi label security model can increase + administrative overhead as everything in that file system has a + label. This includes directories, files, and even device + nodes.</para> + + <para>The following command will set <option>multilabel</option> + on the specified <acronym>UFS</acronym> file system. This may only be + done in single-user mode and is not a requirement for the swap + file system:</para> + + <screen>&prompt.root; <userinput>tunefs -l enable /</userinput></screen> + + <note> + <para>Some users have experienced problems with setting the + <option>multilabel</option> flag on the root partition. + If this is the case, please review + <xref linkend="mac-troubleshoot"/>.</para> + </note> + + <para>Since the multi label policy is set on a per-file system basis, a multi label policy may not be + needed if the file system layout is well designed. Consider an example security + <acronym>MAC</acronym> model for a &os; web server. This machine + uses the single label, + <literal>biba/high</literal>, for everything in the default file + systems. If the web server needs to + run at <literal>biba/low</literal> + to prevent write up capabilities, it could + be installed to a separate <acronym>UFS</acronym> <filename>/usr/local</filename> file system set at + <literal>biba/low</literal>.</para> <sect2> <title>Label Configuration</title> @@ -306,31 +334,35 @@ configuration or the manipulation and verification of the configuration.</para> - <para>All configuration may be done using &man.setfmac.8; and - &man.setpmac.8;. <command>setfmac</command> is used to set - <acronym>MAC</acronym> labels on system objects while - <command>setpmac</command> is used to set the labels on system - subjects. Observe:</para> + <para>All configuration may be done using + <command>setfmac</command>, which is used to set + <acronym>MAC</acronym> labels on system objects, and + <command>setpmac</command>, which is used to set the labels on system + subjects. For example, to set the <literal>biba</literal> <acronym>MAC</acronym> + label to <literal>high</literal> on <filename>test</filename>:</para> <screen>&prompt.root; <userinput>setfmac biba/high test</userinput></screen> <para>If the configuration is successful, the prompt will be returned without error. A common error is <errorname>Permission denied</errorname> which usually occurs - when the label is being set or modified on an object which is - restricted.<footnote><para>Other conditions may produce different + when the label is being set or modified on a restricted object. + Other conditions may produce different failures. For instance, the file may not be owned by the user attempting to relabel the object, the object may not - exist, or the object may be read only. A mandatory policy + exist, or the object may be read-only. A mandatory policy will not allow the process to relabel the file, maybe because of a property of the file, a property of the process, or a property of the proposed new label value. For - example, a user running at low integrity tries to change the - label of a high integrity file. Or perhaps a user running + example, if a user running at low integrity tries to change the + label of a high integrity file, or a user running at low integrity tries to change the label of a low - integrity file to a high integrity label.</para></footnote> The - system administrator may use the following commands to - overcome this:</para> + integrity file to a high integrity label, these operations will fail.</para> + + <para>The + system administrator may use <command>setpmac</command> to override the + policy module's settings by assigning a different label to the + invoked process:</para> <screen>&prompt.root; <userinput>setfmac biba/high test</userinput> <errorname>Permission denied</errorname> @@ -338,80 +370,85 @@ &prompt.root; <userinput>getfmac test</userinput> test: biba/high</screen> - <para><command>setpmac</command> can be used to override the - policy module's settings by assigning a different label to the - invoked process. <command>getpmac</command> is usually used - with currently running processes, such as - <application>sendmail</application>. It takes a process ID in - place of a command. If users attempt to manipulate a file not + <para>For currently running processes, such as + <application>sendmail</application>, + <command>getpmac</command> is usually used instead. + This command takes a process ID (<acronym>PID</acronym>) in + place of a command name. If users attempt to manipulate a file not in their access, subject to the rules of the loaded policy modules, the <errorname>Operation not permitted</errorname> - error will be displayed by the - <function>mac_set_link</function> function.</para> + error will be displayed.</para> + </sect2> - <sect3> - <title>Common Label Types</title> + <sect2> + <title>Predefined Labels</title> - <para>For the &man.mac.biba.4;, &man.mac.mls.4; and - &man.mac.lomac.4; policy modules, the ability to assign - simple labels is provided. These take the form of high, - equal, and low, where:</para> + <para>A few &os; policy modules which support the labeling feature + offer three predefined labels: <literal>low</literal>, <literal>equal</literal>, and <literal>high</literal>, + where:</para> <itemizedlist> <listitem> - <para>The <literal>low</literal> label is considered the + <para><literal>low</literal> is considered the lowest label setting an object or subject may have. Setting this on objects or subjects blocks their access to objects or subjects marked high.</para> </listitem> <listitem> - <para>The <literal>equal</literal> label should only be + <para><literal>equal</literal> sets the subject or object + to be disabled or unaffected and should only be placed on objects considered to be exempt from the policy.</para> </listitem> <listitem> - <para>The <literal>high</literal> label grants an object - or subject the highest possible setting.</para> + <para><literal>high</literal> grants an object + or subject the highest setting available in the Biba and + <acronym>MLS</acronym> policy modules.</para> </listitem> </itemizedlist> - <para>With respect to each policy module, each of those - settings will establish a different information flow - directive. Refer to the manual pages of the module to - determine the traits of these generic label + <para>Such policy modules include &man.mac.biba.4;, &man.mac.mls.4; and + &man.mac.lomac.4;. Each of the predefined + labels establishes a different information flow + directive. Refer to the manual page of the module to + determine the traits of the generic label configurations.</para> + </sect2> - <sect4> - <title>Advanced Label Configuration</title> - - <para>Numeric grade labels are used for - <literal>comparison:compartment+compartment</literal>. + <sect2> + <title>Numeric Labels</title> + + <para>The Biba and <acronym>MLS</acronym> policy modules support a numeric + label which may be set to indicate the precise level of hierarchical + control. This numeric level is used to partition or sort + information into different groups of classification, only + permitting access to that group or a higher group level. For example:</para> <programlisting>biba/10:2+3+6(5:2+3-20:2+3+4+5+6)</programlisting> <para>may be interpreted as <quote>Biba Policy - Label</quote>/<quote>Grade - 10</quote>:<quote>Compartments 2, 3 and 6</quote>: - (<quote>grade 5 ...</quote>)</para> + Label/Grade + 10:Compartments 2, 3 and 6: + (grade 5 ...</quote>)</para> <para>In this example, the first grade would be considered - the <quote>effective grade</quote> with - <quote>effective compartments</quote>, the second grade + the effective grade with + effective compartments, the second grade is the low grade, and the last one is the high grade. - In most configurations, these settings will not be used - as they are advanced configurations.</para> + In most configurations, such fine-grained settings are not needed + as they are considered to be advanced configurations.</para> - <para>System objects only have a current grade/compartment. + <para>System objects only have a current grade and compartment. System subjects reflect the range of available rights in the system, and network interfaces, where they are used for access control.</para> <para>The grade and compartments in a subject and object pair are used to construct a relationship known as - <quote>dominance</quote>, in which a subject dominates an + <firstterm>dominance</firstterm>, in which a subject dominates an object, the object dominates the subject, neither dominates the other, or both dominate each other. The <quote>both dominate</quote> case occurs when the two @@ -422,21 +459,27 @@ test: biba/high</screen> using <command>su</command> or <command>setpmac</command> in order to access objects in a compartment from which they are not restricted.</para> - </sect4> - </sect3> + </sect2> - <sect3> - <title>Users and Label Settings</title> + <sect2> + <title>User Labels</title> <para>Users are required to have labels so that their files and processes properly interact with the security policy defined on the system. This is configured in - <filename>login.conf</filename> using login classes. Every + <filename>/etc/login.conf</filename> using login classes. Every policy module that uses labels will implement the user class setting.</para> - <para>An example entry containing every policy module setting - is displayed below:</para> + <para>To set the + user class default label which will be enforced by + <acronym>MAC</acronym>, add a <option>label</option> entry. An + example <option>label</option> entry containing every policy module + is displayed below. Note that in a real + configuration, the administrator would never enable + every policy module. It is recommended that the rest of + this chapter be reviewed before any configuration is + implemented.</para> <programlisting>default:\ :copyright=/etc/COPYRIGHT:\ @@ -462,25 +505,15 @@ test: biba/high</screen> :ignoretime@:\ :label=partition/13,mls/5,biba/10(5-15),lomac/10[2]:</programlisting> - <para>To set the - user class default label which will be enforced by - <acronym>MAC</acronym>, use <option>label</option>. Users - are never permitted to modify this value. In a real - configuration, however, the administrator would never enable - every policy module. It is recommended that the rest of - this chapter be reviewed before any configuration is - implemented.</para> - - <note> - <para>Users may change their label after they login, subject + <para>While users + can not modify the default value, they may change their label after they login, subject to the constraints of the policy. The example above tells - the Biba policy that a process's minimum integrity is 5, - its maximum is 15, and the default effective label is 10. - The process will run at 10 until it chooses to change - label, perhaps due to the user using &man.setpmac.8;, + the Biba policy that a process's minimum integrity is <literal>5</literal>, + its maximum is <literal>15</literal>, and the default effective label is <literal>10</literal>. + The process will run at <literal>10</literal> until it chooses to change + label, perhaps due to the user using <command>setpmac</command>, which will be constrained by Biba to the configured range.</para> - </note> <para>After any change to <filename>login.conf</filename>, the login class capability @@ -489,30 +522,29 @@ test: biba/high</screen> <para>Many sites have a large number of users requiring several different user classes. In depth planning is - required as this may get extremely difficult to + required as this can become difficult to manage.</para> - </sect3> + </sect2> - <sect3> - <title>Network Interfaces and Label Settings</title> + <sect2> + <title>Network Interface Labels</title> <para>Labels may be set on network interfaces to help control the flow of data across the network. Policies using network interface labels function in the same way that policies function with respect to objects. Users at high - settings in <literal>biba</literal>, for example, will not + settings in Biba, for example, will not be permitted to access network interfaces with a label of - low.</para> + <literal>low</literal>.</para> - <para><option>maclabel</option> may be passed to - <command>ifconfig</command> when setting the - <acronym>MAC</acronym> label on network interfaces. For - example:</para> + <para>When setting the + <acronym>MAC</acronym> label on network interfaces, <option>maclabel</option> may be passed to + <command>ifconfig</command>:</para> <screen>&prompt.root; <userinput>ifconfig bge0 maclabel biba/equal</userinput></screen> - <para>will set the <acronym>MAC</acronym> label of - <literal>biba/equal</literal> on the &man.bge.4; interface. + <para>This example will set the <acronym>MAC</acronym> label of + <literal>biba/equal</literal> on the <literal>bge0</literal> interface. When using a setting similar to <literal>biba/high(low-high)</literal>, the entire label should be quoted to prevent an error from being @@ -523,86 +555,8 @@ test: biba/high</screen> label on network interfaces. Setting the label to <option>equal</option> will have a similar effect. Review the output of <command>sysctl</command>, the policy manual - pages, and the information in this chapter for more + pages, and the information in the rest of this chapter for more information on those tunables.</para> - </sect3> - </sect2> - - <sect2> - <title>Singlelabel or Multilabel?</title> - - <para>By default, the system will use - <option>singlelabel</option>. For the administrator, there - are several differences which offer pros and cons to the - flexibility in the system's security model.</para> - - <para>A security policy which uses <option>singlelabel</option> - only permits one label, such as <literal>biba/high</literal>, - to be used for each subject or object. This provides lower - administration overhead, but decreases the flexibility of - policies which support labeling.</para> - - <para><option>multilabel</option> permits each subject or object - to have its own independent <acronym>MAC</acronym> label. - The decision to use <option>multilabel</option> or - <option>singlelabel</option> is only required for the policies - which implement the labeling feature, including the Biba, - Lomac, and <acronym>MLS</acronym> policies.</para> - - <para>In many cases, <option>multilabel</option> may not be - needed. Consider the following situation and security - model:</para> - - <itemizedlist> - <listitem> - <para>&os; web-server using the <acronym>MAC</acronym> - framework and a mix of the various policies.</para> - </listitem> - - <listitem> - <para>This machine only requires one label, - <literal>biba/high</literal>, for everything in the - system. This file system would not require - <option>multilabel</option> as a single label will always - be in effect.</para> - </listitem> - - <listitem> - <para>But, this machine will be a web server and should - have the web server run at <literal>biba/low</literal> - to prevent write up capabilities. The server could - use a separate partition set at - <literal>biba/low</literal> for most if not all - of its runtime state.</para> - </listitem> - </itemizedlist> - - <para>If any of the non-labeling policies are to be used, - <option>multilabel</option> would not be required. These - include the <literal>seeotheruids</literal>, - <literal>portacl</literal> and <literal>partition</literal> - policies.</para> - - <para>Using <option>multilabel</option> with a partition and - establishing a security model based on - <option>multilabel</option> functionality could increase - administrative overhead as everything in the file system has a - label. This includes directories, files, and even device - nodes.</para> - - <para>The following command will set <option>multilabel</option> - on the file systems to have multiple labels. This may only be - done in single user mode and is not a requirement for the swap - file system:</para> - - <screen>&prompt.root; <userinput>tunefs -l enable /</userinput></screen> - - <note> - <para>Some users have experienced problems with setting the - <option>multilabel</option> flag on the root partition. - If this is the case, please review the - <xref linkend="mac-troubleshoot"/> of this chapter.</para> - </note> </sect2> </sect1> |