Chapter 17. Mandatory Access Control

Written by Tom Rhodes.
Table of Contents
17.1. Synopsis
17.2. Key Terms in This Chapter
17.3. Explanation of MAC
17.4. Understanding MAC Labels
17.5. Planning the Security Configuration
17.6. Module Configuration
17.7. The MAC See Other UIDs Policy
17.8. The MAC BSD Extended Policy
17.9. The MAC Interface Silencing Policy
17.10. The MAC Port Access Control List Policy
17.11. The MAC Partition Policy
17.12. The MAC Multi-Level Security Module
17.13. The MAC Biba Module
17.14. The MAC LOMAC Module
17.15. Nagios in a MAC Jail
17.16. User Lock Down
17.17. Troubleshooting the MAC Framework

17.1. Synopsis

FreeBSD 5.X introduced new security extensions from the TrustedBSD Project based on the POSIX®.1e draft. Two of the most significant new security mechanisms are file system Access Control Lists (ACLs) and Mandatory Access Control (MAC) facilities. MAC allows new access control modules to be loaded, implementing new security policies. Some modules provide protections for a narrow subset of the system, hardening a particular service. Others provide comprehensive labeled security across all subjects and objects. The mandatory part of the definition indicates that enforcement of controls is performed by administrators and the operating system. This is in contrast to the default security mechanism of Discretionary Access Control (DAC where enforcement is left to the discretion of users.

This chapter focuses on the MAC framework and the set of pluggable security policy modules FreeBSD provides for enabling various security mechanisms.

After reading this chapter, you will know:

  • Which MAC security policy modules are included in FreeBSD and their associated mechanisms.

  • The capabilities of MAC security policy modules as well as the difference between a labeled and non-labeled policy.

  • How to efficiently configure a system to use the MAC framework.

  • How to configure the different security policy modules included with the MAC framework.

  • How to implement a more secure environment using the MAC framework.

  • How to test the MAC configuration to ensure the framework has been properly implemented.

Before reading this chapter, you should:


Improper MAC configuration may cause loss of system access, aggravation of users, or inability to access the features provided by Xorg. More importantly, MAC should not be relied upon to completely secure a system. The MAC framework only augments an existing security policy. Without sound security practices and regular security checks, the system will never be completely secure.

The examples contained within this chapter are for demonstration purposes and the example settings should not be implemented on a production system. Implementing any security policy takes a good deal of understanding, proper design, and thorough testing.

17.1.1. What Will Not Be Covered

This chapter covers a broad range of security issues relating to the MAC framework. The development of new MAC security policy modules will not be covered. A number of security policy modules included with the MAC framework have specific characteristics which are provided for both testing and new module development. These include mac_test(4), mac_stub(4) and mac_none(4). For more information on these security policy modules and the various mechanisms they provide, refer to their manual pages.

All FreeBSD documents are available for download at

Questions that are not answered by the documentation may be sent to <>.

Send questions about this document to <>.