17.14. The MAC LOMAC Module

Module name: mac_lomac.ko

Kernel configuration line: options MAC_LOMAC

Boot option: mac_lomac_load="YES"

Unlike the MAC Biba policy, the mac_lomac(4) policy permits access to lower integrity objects only after decreasing the integrity level to not disrupt any integrity rules.

The MAC version of the Low-watermark integrity policy works almost identically to Biba, but with the exception of using floating labels to support subject demotion via an auxiliary grade compartment. This secondary compartment takes the form [auxgrade]. When assigning a LOMAC policy with an auxiliary grade, use the syntax lomac/10[2] where the number two (2) is the auxiliary grade.

The MAC LOMAC policy relies on the ubiquitous labeling of all system objects with integrity labels, permitting subjects to read from low integrity objects and then downgrading the label on the subject to prevent future writes to high integrity objects using [auxgrade]. The policy may provide for greater compatibility and require less initial configuration than Biba.

17.14.1. Examples

Like the Biba and MLS policies, setfmac and setpmac are used to place labels on system objects:

# setfmac /usr/home/trhodes lomac/high[low] # getfmac /usr/home/trhodes lomac/high[low]

The auxiliary grade low is a feature provided only by the MAC LOMAC policy.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.

Send questions about this document to <freebsd-doc@FreeBSD.org>.