Module name: mac_lomac.ko
Kernel configuration line: options
MAC_LOMAC
Boot option: mac_lomac_load="YES"
Unlike the MAC Biba policy, the mac_lomac(4) policy permits access to lower integrity objects only after decreasing the integrity level to not disrupt any integrity rules.
The MAC version of the Low-watermark
integrity policy works almost identically to Biba, but with the
exception of using floating labels to support subject demotion
via an auxiliary grade compartment. This secondary compartment
takes the form [auxgrade]
. When assigning
a LOMAC policy with an auxiliary grade, use the syntax
lomac/10[2]
where the number two (2) is the
auxiliary grade.
The MAC LOMAC policy relies on the
ubiquitous labeling of all system objects with integrity labels,
permitting subjects to read from low integrity objects and then
downgrading the label on the subject to prevent future writes to
high integrity objects using [auxgrade]
. The
policy may provide for greater compatibility and require less
initial configuration than Biba.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.