aboutsummaryrefslogtreecommitdiff
path: root/en_US.ISO8859-1/books/handbook/mac
diff options
context:
space:
mode:
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
-rw-r--r--en_US.ISO8859-1/books/handbook/mac/chapter.xml250
1 files changed, 123 insertions, 127 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
index facf372522..835959f2ab 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@@ -769,7 +769,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-seeotheruids">
- <title>The &man.mac.seeotheruids.4; Module</title>
+ <title>The MAC See Other UIDs Policy</title>
<indexterm>
<primary>MAC See Other UIDs Policy</primary>
@@ -824,7 +824,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-bsdextended">
- <title>The &man.mac.bsdextended.4; Module</title>
+ <title>The MAC BSD Extended Policy</title>
<indexterm>
<primary>MAC</primary>
@@ -904,7 +904,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-ifoff">
- <title>The &man.mac.ifoff.4; Module</title>
+ <title>The MAC Interface Silencing Policy</title>
<indexterm>
<primary>MAC Interface Silencing Policy</primary>
@@ -955,7 +955,7 @@ test: biba/high</screen>
</sect1>
<sect1 id="mac-portacl">
- <title>The &man.mac.portacl.4; Module</title>
+ <title>The MAC Port Access Control List Policy</title>
<indexterm>
<primary>MAC Port Access Control List Policy</primary>
@@ -1069,7 +1069,7 @@ net.inet.ip.portrange.reservedhigh=0</userinput></screen>
</sect1>
<sect1 id="mac-partition">
- <title>The &man.mac.partition.4; Module</title>
+ <title>The MAC Partition Policy</title>
<indexterm>
<primary>MAC Process Partition Policy</primary>
@@ -1807,141 +1807,137 @@ setpmac biba/10\(10-10\) /usr/local/etc/rc.d/nagios.sh forcestart</userinput></s
<para>This section discusses common configuration issues.</para>
- <sect2>
- <title><option>multilabel</option> cannot be enabled on
- <filename>/</filename></title>
-
- <para>The<option>multilabel</option> flag does not stay
- enabled on my root (<filename>/</filename>) partition!</para>
-
+ <itemizedlist>
+ <listitem>
+ <para>The <option>multilabel</option> flag does not stay
+ enabled on my root (<filename>/</filename>) partition!</para>
- <para>The following steps may resolve this transient
- error:</para>
+ <para>The following steps may resolve this transient
+ error:</para>
- <procedure>
- <step>
- <para>Edit <filename>/etc/fstab</filename> and set the root
- partition to <option>ro</option> for read-only.</para>
- </step>
+ <procedure>
+ <step>
+ <para>Edit <filename>/etc/fstab</filename> and set the root
+ partition to <option>ro</option> for read-only.</para>
+ </step>
- <step>
- <para>Reboot into single user mode.</para>
- </step>
+ <step>
+ <para>Reboot into single user mode.</para>
+ </step>
- <step>
- <para>Run <command>tunefs</command> <option>-l
+ <step>
+ <para>Run <command>tunefs</command> <option>-l
enable</option>
- on <filename>/</filename>.</para>
- </step>
-
- <step>
- <para>Reboot the system.</para>
- </step>
-
- <step>
- <para>Run <command>mount</command> <option>-urw</option>
- <filename>/</filename> and change the <option>ro</option>
- back to <option>rw</option> in
- <filename>/etc/fstab</filename> and reboot the system
- again.</para>
- </step>
-
- <step>
- <para>Double-check the output from
- <command>mount</command> to ensure that
- <option>multilabel</option> has been properly set on the
- root file system.</para>
- </step>
- </procedure>
- </sect2>
+ on <filename>/</filename>.</para>
+ </step>
+
+ <step>
+ <para>Reboot the system.</para>
+ </step>
+
+ <step>
+ <para>Run <command>mount</command> <option>-urw</option>
+ <filename>/</filename> and change the <option>ro</option>
+ back to <option>rw</option> in
+ <filename>/etc/fstab</filename> and reboot the system
+ again.</para>
+ </step>
+
+ <step>
+ <para>Double-check the output from
+ <command>mount</command> to ensure that
+ <option>multilabel</option> has been properly set on the
+ root file system.</para>
+ </step>
+ </procedure>
+ </listitem>
- <sect2>
- <title>Xorg Server Will Not Start After
- <acronym>MAC</acronym></title>
-
- <para>After establishing a secure environment with
- <acronym>MAC</acronym>, I am no longer able to start
- Xorg!</para>
-
- <para>This could be caused by the <acronym>MAC</acronym>
- <literal>partition</literal> policy or by a mislabeling in
- one of the <acronym>MAC</acronym> labeling policies. To
- debug, try the following:</para>
-
- <procedure>
- <step>
- <para>Check the error message; if the user is in the
- <literal>insecure</literal> class, the
- <literal>partition</literal> policy may be the culprit.
- Try setting the user's class back to the
- <literal>default</literal> class and rebuild the database
- with <command>cap_mkdb</command>. If this does not
- alleviate the problem, go to step two.</para>
- </step>
-
- <step>
- <para>Double-check the label policies. Ensure that the
- policies are set correctly for the user, the Xorg
- application, and the <filename
- class="directory">/dev</filename> entries.</para>
- </step>
-
- <step>
- <para>If neither of these resolve the problem, send the
- error message and a description of the environment to
- the &a.questions; mailing list.</para>
- </step>
- </procedure>
- </sect2>
+ <listitem>
+ <para>After establishing a secure environment with
+ <acronym>MAC</acronym>, I am no longer able to start
+ Xorg!</para>
+
+ <para>This could be caused by the <acronym>MAC</acronym>
+ <literal>partition</literal> policy or by a mislabeling in
+ one of the <acronym>MAC</acronym> labeling policies. To
+ debug, try the following:</para>
+
+ <procedure>
+ <step>
+ <para>Check the error message; if the user is in the
+ <literal>insecure</literal> class, the
+ <literal>partition</literal> policy may be the culprit.
+ Try setting the user's class back to the
+ <literal>default</literal> class and rebuild the database
+ with <command>cap_mkdb</command>. If this does not
+ alleviate the problem, go to step two.</para>
+ </step>
+
+ <step>
+ <para>Double-check the label policies. Ensure that the
+ policies are set correctly for the user, the Xorg
+ application, and the <filename
+ class="directory">/dev</filename> entries.</para>
+ </step>
+
+ <step>
+ <para>If neither of these resolve the problem, send the
+ error message and a description of the environment to
+ the &a.questions; mailing list.</para>
+ </step>
+ </procedure>
+ </listitem>
- <sect2>
- <title>Error: &man..secure.path.3; cannot stat
- <filename>.login_conf</filename></title>
+ <listitem>
+ <para>The error: <errorname>_secure_path: unable to stat
+ .login_conf</errorname> shows up.</para>
- <para>When a user attempts to switch from the
- <username>root</username> user to another user in the system,
- the error message <errorname>_secure_path: unable to state
+ <para>When a user attempts to switch from the
+ <username>root</username> user to another user in the system,
+ the error message <errorname>_secure_path: unable to stat
.login_conf</errorname> appears.</para>
- <para>This message is usually shown when the user has a higher
- label setting than that of the user they are attempting to
- become. For instance, <username>joe</username> has a default
- label of <option>biba/low</option>. The
- <username>root</username> user, who has a label of
- <option>biba/high</option>, cannot view
- <username>joe</username>'s home directory. This will happen
- whether or not <username>root</username> has used
- <command>su</command> to become <username>joe</username> as
- the Biba integrity model will not permit
- <username>root</username> to view objects set at a lower
- integrity level.</para>
- </sect2>
+ <para>This message is usually shown when the user has a higher
+ label setting than that of the user they are attempting to
+ become. For instance, <username>joe</username> has a default
+ label of <option>biba/low</option>. The
+ <username>root</username> user, who has a label of
+ <option>biba/high</option>, cannot view
+ <username>joe</username>'s home directory. This will happen
+ whether or not <username>root</username> has used
+ <command>su</command> to become <username>joe</username> as
+ the Biba integrity model will not permit
+ <username>root</username> to view objects set at a lower
+ integrity level.</para>
+ </listitem>
- <sect2>
- <title>The <username>root</username> username is broken!</title>
+ <listitem>
+ <para>The system no longer recognizes the
+ <username>root</username> user.</para>
- <para>In normal or even single user mode, the
- <username>root</username> is not recognized,
- <command>whoami</command> returns 0 (zero), and
- <command>su</command> returns <errorname>who are
+ <para>In normal or even single user mode, the
+ <username>root</username> is not recognized,
+ <command>whoami</command> returns 0 (zero), and
+ <command>su</command> returns <errorname>who are
you?</errorname>.</para>
- <para>This can happen if a labeling policy has been disabled,
- either by a &man.sysctl.8; or the policy module was unloaded.
- If the policy is disabled, the login capabilities database
- needs to be reconfigured with <option>label</option> removed.
- Double check <filename>login.conf</filename> to ensure that
- all <option>label</option> options have been removed and
- rebuild the database with <command>cap_mkdb</command>.</para>
-
- <para>This may also happen if a policy restricts access to
- <filename>master.passwd</filename>. This is usually caused by
- an administrator altering the file under a label which
- conflicts with the general policy being used by the system.
- In these cases, the user information would be read by the
- system and access would be blocked as the file has inherited
- the new label. Disable the policy using &man.sysctl.8; and
- everything should return to normal.</para>
- </sect2>
+ <para>This can happen if a labeling policy has been disabled,
+ either by a &man.sysctl.8; or the policy module was unloaded.
+ If the policy is disabled, the login capabilities database
+ needs to be reconfigured with <option>label</option> removed.
+ Double check <filename>login.conf</filename> to ensure that
+ all <option>label</option> options have been removed and
+ rebuild the database with <command>cap_mkdb</command>.</para>
+
+ <para>This may also happen if a policy restricts access to
+ <filename>master.passwd</filename>. This is usually caused by
+ an administrator altering the file under a label which
+ conflicts with the general policy being used by the system.
+ In these cases, the user information would be read by the
+ system and access would be blocked as the file has inherited
+ the new label. Disable the policy using &man.sysctl.8; and
+ everything should return to normal.</para>
+ </listitem>
+ </itemizedlist>
</sect1>
</chapter>