Module name: mac_mls.ko
Kernel configuration line:
options MAC_MLS
Boot option: mac_mls_load="YES"
The mac_mls(4) policy controls access between subjects and objects in the system by enforcing a strict information flow policy.
In MLS environments, a “clearance” level is set in the label of each subject or object, along with compartments. Since these clearance or sensibility levels can reach numbers greater than several thousand; it would be a daunting task for any system administrator to thoroughly configure each subject or object. Thankfully, three “instant” labels are included in this policy.
These labels are mls/low
,
mls/equal
and mls/high
.
Since these labels are described in depth in the manual page,
they will only get a brief description here:
The mls/low
label contains a low
configuration which permits it to be dominated by all other
objects. Anything labeled with mls/low
will have a low clearance level and not be permitted to
access information of a higher level. This label also
prevents objects of a higher clearance level from writing or
passing information on to them.
The mls/equal
label should be
placed on objects considered to be exempt from the
policy.
The mls/high
label is the highest
level of clearance possible. Objects assigned this label
will hold dominance over all other objects in the system;
however, they will not permit the leaking of information
to objects of a lower class.
MLS provides:
A hierarchical security level with a set of non hierarchical categories.
Fixed rules of no read up, no write
down
. This means that a subject can have read
access to objects on its own level or below, but not above.
Similarly, a subject can have write access to objects on its
own level or above but not beneath.
Secrecy, or the prevention of inappropriate disclosure of data.
A basis for the design of systems that concurrently handle data at multiple sensitivity levels without leaking information between secret and confidential.
The following sysctl
tunables are
available for the configuration of special services and
interfaces:
security.mac.mls.enabled
is used to
enable or disable the MLS policy.
security.mac.mls.ptys_equal
labels all pty(4) devices as
mls/equal
during creation.
security.mac.mls.revocation_enabled
revokes access to objects after their label changes to a
label of a lower grade.
security.mac.mls.max_compartments
sets the maximum number of compartment levels allowed on a
system.
To manipulate the MLS labels, use setfmac(8). To assign a label to an object, issue the following command:
#
setfmac mls/5 test
To get the MLS label for the file
test
, issue the following command:
#
getfmac test
Another approach is to create a master policy file in
/etc/
which specifies the
MLS policy information and to feed that file
to setfmac
. This method will be explained
after all policies are covered.
When using the MLS policy module, an administrator plans
to control the flow of sensitive information. The default
block read up block write down
sets
everything to a low state. Everything is accessible and an
administrator slowly augments the confidentiality of the
information during the configuration stage;.
Beyond the three basic label options, an administrator may
group users and groups as required to block the information
flow between them. It might be easier to look at the
information in clearance levels using descriptive words, such
as classifications of Confidential
,
Secret
, and Top Secret
.
Some administrators instead create different groups based on
project levels. Regardless of the classification method, a
well thought out plan must exist before implementing such a
restrictive policy.
Some example situations for the MLS policy module include an e-commerce web server, a file server holding critical company information, and financial institution environments.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.