Module name: mac_lomac.ko
Kernel configuration line: options MAC_LOMAC
Boot option: mac_lomac_load="YES"
Unlike the MAC Biba policy, the mac_lomac(4) policy permits access to lower integrity objects only after decreasing the integrity level to not disrupt any integrity rules.
The MAC version of the Low-watermark
integrity policy, not to be confused with the older lomac(4)
implementation, works almost identically to Biba, but with the
exception of using floating labels to support subject
demotion via an auxiliary grade compartment. This secondary
compartment takes the form of [auxgrade]
.
When assigning a lomac policy with an auxiliary grade, it
should look a little bit like: lomac/10[2]
where the number two (2) is the auxiliary grade.
The MAC LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
permitting subjects to read from low integrity objects and then
downgrading the label on the subject to prevent future writes to
high integrity objects. This is the
[auxgrade]
option discussed above, thus the
policy may provide for greater compatibility and require less
initial configuration than Biba.
Like the Biba and MLS policies;
the setfmac
and setpmac
utilities may be used to place labels on system objects:
#
setfmac /usr/home/trhodes lomac/high[low]
#
getfmac /usr/home/trhodes
lomac/high[low]
Notice the auxiliary grade here is low
,
this is a feature provided only by the MAC
LOMAC policy.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.