From 5b180955e31bc8906692f2d80fc2d4b3f05ea455 Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Wed, 26 Mar 2014 20:22:00 +0000 Subject: Shuffle of Label section to improve flow. Editorial review of Label section. More commits to come. Sponsored by: iXsystems --- en_US.ISO8859-1/books/handbook/mac/chapter.xml | 362 +++++++++++-------------- 1 file changed, 158 insertions(+), 204 deletions(-) (limited to 'en_US.ISO8859-1/books/handbook/mac/chapter.xml') diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.xml b/en_US.ISO8859-1/books/handbook/mac/chapter.xml index a67e5f99f9..5f1cc751f9 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml @@ -244,58 +244,86 @@ A MAC label is a security attribute which may be applied to subjects and objects throughout - the system. - - When setting a label, the administrator must be able to - comprehend what exactly is being done and understand any + the system. When setting a label, the administrator must + understand its implications in order to prevent unexpected or undesired behavior of the system. The attributes available on an object - depend on the loaded policy module as policy modules interpret + depend on the loaded policy module, as policy modules interpret their attributes in different ways. The security label on an object is used as a part of a security access control decision by a policy. With some policies, the label contains all of the information necessary to make a decision. In other policies, the labels may be - processed as part of a larger rule set. For instance, setting - the label of biba/low on a file will - represent a label maintained by the Biba security policy module, - with a value of low. - - A few policy modules which support the labeling feature - in &os; offer three specific predefined labels: low, high, and - equal. Such policy modules enforce access control in a - different manner with each policy module, where the low label is - the lowest setting, the equal label sets the subject or object - to be disabled or unaffected, and the high label enforces the - highest setting available in the Biba and MLS - policy modules. - - Within single label file system environments, only one - label may be used on objects. This label enforces one set of - access permissions across the entire system and in many - environments may be all that is required. There are a few - cases where multiple labels may be set on objects or subjects - in the file system by passing to - &man.tunefs.8;. - - In the case of Biba and MLS, a numeric - label may be set to indicate the precise level of hierarchical - control. This numeric level is used to partition or sort - information into different groups of classification only - permitting access to that group or a higher group level. - - In most cases, the administrator will set up a single label - to use throughout the file system. This is similar to - DAC to some extent as - root is the one in control and who + processed as part of a larger rule set. + + There are two types of label policies: single label and multi label. + By default, the system will use + single label. The administrator should be aware of the + pros and cons of each in order to implement policies which meet the + requirements of the system's security model. + + A single label security policy + only permits one label + to be used for every subject or object. Since a single label policy enforces one set of + access permissions across the entire system, it provides lower + administration overhead, but decreases the flexibility of + policies which support labeling. However, in many + environments, a single label policy may be all that is required. + + A single label policy is somewhat similar to + DAC as + root configures the policies so that users are placed in the - appropriate categories/access levels. Alas, many policy modules - can restrict the root user as well. Basic + appropriate categories and access levels. A notable difference is that many policy modules + can also restrict root. Basic control over objects will then be released to the group, but root may revoke or modify the settings - at any time. This is the hierarchical/clearance model covered - by policies such as Biba and MLS. + at any time. + + When appropriate, a multi label policy can + be set on + a UFS file system by passing to + &man.tunefs.8;. A multi label policy permits each subject or object + to have its own independent MAC label. + The decision to use a multi label or + single label policy is only required for policies + which implement the labeling feature, such as biba, + lomac, and mls. Some policies, + such as seeotheruids, + portacl and partition, + do not use labels at all. + + Using a multi label policy on a partition and + establishing a multi label security model can increase + administrative overhead as everything in that file system has a + label. This includes directories, files, and even device + nodes. + + The following command will set + on the specified UFS file system. This may only be + done in single-user mode and is not a requirement for the swap + file system: + + &prompt.root; tunefs -l enable / + + + Some users have experienced problems with setting the + flag on the root partition. + If this is the case, please review + . + + + Since the multi label policy is set on a per-file system basis, a multi label policy may not be + needed if the file system layout is well designed. Consider an example security + MAC model for a &os; web server. This machine + uses the single label, + biba/high, for everything in the default file + systems. If the web server needs to + run at biba/low + to prevent write up capabilities, it could + be installed to a separate UFS /usr/local file system set at + biba/low. Label Configuration @@ -306,31 +334,35 @@ configuration or the manipulation and verification of the configuration. - All configuration may be done using &man.setfmac.8; and - &man.setpmac.8;. setfmac is used to set - MAC labels on system objects while - setpmac is used to set the labels on system - subjects. Observe: + All configuration may be done using + setfmac, which is used to set + MAC labels on system objects, and + setpmac, which is used to set the labels on system + subjects. For example, to set the biba MAC + label to high on test: &prompt.root; setfmac biba/high test If the configuration is successful, the prompt will be returned without error. A common error is Permission denied which usually occurs - when the label is being set or modified on an object which is - restricted.Other conditions may produce different + when the label is being set or modified on a restricted object. + Other conditions may produce different failures. For instance, the file may not be owned by the user attempting to relabel the object, the object may not - exist, or the object may be read only. A mandatory policy + exist, or the object may be read-only. A mandatory policy will not allow the process to relabel the file, maybe because of a property of the file, a property of the process, or a property of the proposed new label value. For - example, a user running at low integrity tries to change the - label of a high integrity file. Or perhaps a user running + example, if a user running at low integrity tries to change the + label of a high integrity file, or a user running at low integrity tries to change the label of a low - integrity file to a high integrity label. The - system administrator may use the following commands to - overcome this: + integrity file to a high integrity label, these operations will fail. + + The + system administrator may use setpmac to override the + policy module's settings by assigning a different label to the + invoked process: &prompt.root; setfmac biba/high test Permission denied @@ -338,80 +370,85 @@ &prompt.root; getfmac test test: biba/high - setpmac can be used to override the - policy module's settings by assigning a different label to the - invoked process. getpmac is usually used - with currently running processes, such as - sendmail. It takes a process ID in - place of a command. If users attempt to manipulate a file not + For currently running processes, such as + sendmail, + getpmac is usually used instead. + This command takes a process ID (PID) in + place of a command name. If users attempt to manipulate a file not in their access, subject to the rules of the loaded policy modules, the Operation not permitted - error will be displayed by the - mac_set_link function. + error will be displayed. + - - Common Label Types + + Predefined Labels - For the &man.mac.biba.4;, &man.mac.mls.4; and - &man.mac.lomac.4; policy modules, the ability to assign - simple labels is provided. These take the form of high, - equal, and low, where: + A few &os; policy modules which support the labeling feature + offer three predefined labels: low, equal, and high, + where: - The low label is considered the + low is considered the lowest label setting an object or subject may have. Setting this on objects or subjects blocks their access to objects or subjects marked high. - The equal label should only be + equal sets the subject or object + to be disabled or unaffected and should only be placed on objects considered to be exempt from the policy. - The high label grants an object - or subject the highest possible setting. + high grants an object + or subject the highest setting available in the Biba and + MLS policy modules. - With respect to each policy module, each of those - settings will establish a different information flow - directive. Refer to the manual pages of the module to - determine the traits of these generic label + Such policy modules include &man.mac.biba.4;, &man.mac.mls.4; and + &man.mac.lomac.4;. Each of the predefined + labels establishes a different information flow + directive. Refer to the manual page of the module to + determine the traits of the generic label configurations. + - - Advanced Label Configuration - - Numeric grade labels are used for - comparison:compartment+compartment. + + Numeric Labels + + The Biba and MLS policy modules support a numeric + label which may be set to indicate the precise level of hierarchical + control. This numeric level is used to partition or sort + information into different groups of classification, only + permitting access to that group or a higher group level. For example: biba/10:2+3+6(5:2+3-20:2+3+4+5+6) may be interpreted as Biba Policy - Label/Grade - 10:Compartments 2, 3 and 6: - (grade 5 ...) + Label/Grade + 10:Compartments 2, 3 and 6: + (grade 5 ...) In this example, the first grade would be considered - the effective grade with - effective compartments, the second grade + the effective grade with + effective compartments, the second grade is the low grade, and the last one is the high grade. - In most configurations, these settings will not be used - as they are advanced configurations. + In most configurations, such fine-grained settings are not needed + as they are considered to be advanced configurations. - System objects only have a current grade/compartment. + System objects only have a current grade and compartment. System subjects reflect the range of available rights in the system, and network interfaces, where they are used for access control. The grade and compartments in a subject and object pair are used to construct a relationship known as - dominance, in which a subject dominates an + dominance, in which a subject dominates an object, the object dominates the subject, neither dominates the other, or both dominate each other. The both dominate case occurs when the two @@ -422,21 +459,27 @@ test: biba/high using su or setpmac in order to access objects in a compartment from which they are not restricted. - - + - - Users and Label Settings + + User Labels Users are required to have labels so that their files and processes properly interact with the security policy defined on the system. This is configured in - login.conf using login classes. Every + /etc/login.conf using login classes. Every policy module that uses labels will implement the user class setting. - An example entry containing every policy module setting - is displayed below: + To set the + user class default label which will be enforced by + MAC, add a entry. An + example entry containing every policy module + is displayed below. Note that in a real + configuration, the administrator would never enable + every policy module. It is recommended that the rest of + this chapter be reviewed before any configuration is + implemented. default:\ :copyright=/etc/COPYRIGHT:\ @@ -462,25 +505,15 @@ test: biba/high :ignoretime@:\ :label=partition/13,mls/5,biba/10(5-15),lomac/10[2]: - To set the - user class default label which will be enforced by - MAC, use . Users - are never permitted to modify this value. In a real - configuration, however, the administrator would never enable - every policy module. It is recommended that the rest of - this chapter be reviewed before any configuration is - implemented. - - - Users may change their label after they login, subject + While users + can not modify the default value, they may change their label after they login, subject to the constraints of the policy. The example above tells - the Biba policy that a process's minimum integrity is 5, - its maximum is 15, and the default effective label is 10. - The process will run at 10 until it chooses to change - label, perhaps due to the user using &man.setpmac.8;, + the Biba policy that a process's minimum integrity is 5, + its maximum is 15, and the default effective label is 10. + The process will run at 10 until it chooses to change + label, perhaps due to the user using setpmac, which will be constrained by Biba to the configured range. - After any change to login.conf, the login class capability @@ -489,30 +522,29 @@ test: biba/high Many sites have a large number of users requiring several different user classes. In depth planning is - required as this may get extremely difficult to + required as this can become difficult to manage. - + - - Network Interfaces and Label Settings + + Network Interface Labels Labels may be set on network interfaces to help control the flow of data across the network. Policies using network interface labels function in the same way that policies function with respect to objects. Users at high - settings in biba, for example, will not + settings in Biba, for example, will not be permitted to access network interfaces with a label of - low. + low. - may be passed to - ifconfig when setting the - MAC label on network interfaces. For - example: + When setting the + MAC label on network interfaces, may be passed to + ifconfig: &prompt.root; ifconfig bge0 maclabel biba/equal - will set the MAC label of - biba/equal on the &man.bge.4; interface. + This example will set the MAC label of + biba/equal on the bge0 interface. When using a setting similar to biba/high(low-high), the entire label should be quoted to prevent an error from being @@ -523,86 +555,8 @@ test: biba/high label on network interfaces. Setting the label to will have a similar effect. Review the output of sysctl, the policy manual - pages, and the information in this chapter for more + pages, and the information in the rest of this chapter for more information on those tunables. - - - - - Singlelabel or Multilabel? - - By default, the system will use - . For the administrator, there - are several differences which offer pros and cons to the - flexibility in the system's security model. - - A security policy which uses - only permits one label, such as biba/high, - to be used for each subject or object. This provides lower - administration overhead, but decreases the flexibility of - policies which support labeling. - - permits each subject or object - to have its own independent MAC label. - The decision to use or - is only required for the policies - which implement the labeling feature, including the Biba, - Lomac, and MLS policies. - - In many cases, may not be - needed. Consider the following situation and security - model: - - - - &os; web-server using the MAC - framework and a mix of the various policies. - - - - This machine only requires one label, - biba/high, for everything in the - system. This file system would not require - as a single label will always - be in effect. - - - - But, this machine will be a web server and should - have the web server run at biba/low - to prevent write up capabilities. The server could - use a separate partition set at - biba/low for most if not all - of its runtime state. - - - - If any of the non-labeling policies are to be used, - would not be required. These - include the seeotheruids, - portacl and partition - policies. - - Using with a partition and - establishing a security model based on - functionality could increase - administrative overhead as everything in the file system has a - label. This includes directories, files, and even device - nodes. - - The following command will set - on the file systems to have multiple labels. This may only be - done in single user mode and is not a requirement for the swap - file system: - - &prompt.root; tunefs -l enable / - - - Some users have experienced problems with setting the - flag on the root partition. - If this is the case, please review the - of this chapter. - -- cgit v1.2.3