8 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
I have a project tree like that.
after running find command with the -no -empty option, i am able to have a list of non empty directory
DO_MY_SEARCH="find . -type d -not -empty -print0"
MY_EXCLUDE_DIR1=" -e NOT_IN_USE -e RTMAP -e NOT_USEFULL "
echo " " > $MY_TEMP_RESULT_1
while... (2 Replies)
Discussion started by: jcdole
2 Replies
2. News, Links, Events and Announcements
A new project was posted on your project board.
Project title: Bash Shell Tutoring
Estimated Budget:
$50/hr
Start date:
Immediately
Required skills:
Linux, Bash, Shell, UNIX
I work as a datawarehouse designer and developer.
Although I usually stick to the role of an analyst,... (0 Replies)
Discussion started by: Neo
0 Replies
3. UNIX and Linux Applications
Dear all,
i am in last year of electronics department in engineering faculty
i need suggestions for a graduation project based on unix or free bsd or linux and electronics "embedded linux "
i think about embedded unix for example or device drivers
please i need helps (1 Reply)
Discussion started by: MOHA-1
1 Replies
4. Solaris
i have two doubts..
1. what is the use /etc/project file. i renamed this file and when i tried to switch user or login with some user account the login was happening slowly. but when i renamed it to original name it was working fine... why so?
2. unix already has useradd and grouadd for... (4 Replies)
Discussion started by: chidori
4 Replies
5. Solaris
We have a system running ssh. When a user logs in, they do not get the project they are assigned to (they run under "system"). I verify the project using the command "ps -e -o user,pid,ppid,args,project". If you do a "su - username", the user does get the project they are assigned to (and all... (2 Replies)
Discussion started by: kurgan
2 Replies
6. UNIX for Advanced & Expert Users
Does anyone know of a way of identifying the PC / client name rather than IP address via who or some other AIX command (5.3). (4 Replies)
Discussion started by: gefa
4 Replies
7. Programming
Hi all!
Is there any function to get the name from a computer by the IP adresse?
Thank you in advance!
Greetings Mario (2 Replies)
Discussion started by: coredump2003
2 Replies
8. Programming
Need help for RS232 communication with switches in order to optimise the data traffic. How to manipulate different flags in termios struct to do the same? (1 Reply)
Discussion started by: ManishSaxena
1 Replies
MAC_MLS(4) BSD Kernel Interfaces Manual MAC_MLS(4)
NAME
mac_mls -- Multi-Level Security confidentiality policy
SYNOPSIS
To compile MLS into your kernel, place the following lines in your kernel configuration file:
options MAC
options MAC_MLS
Alternately, to load the MLS module at boot time, place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_mls_load="YES"
DESCRIPTION
The mac_mls policy module implements the Multi-Level Security, or MLS model, which controls access between subjects and objects based on
their confidentiality by means of a strict information flow policy. Each subject and object in the system has an MLS label associated with
it; each subject's MLS label contains information on its clearance level, and each object's MLS label contains information on its classifica-
tion.
In MLS, all system subjects and objects are assigned confidentiality labels, made up of a sensitivity level and zero or more compartments.
Together, these label elements permit all labels to be placed in a partial order, with confidentiality protections based on a dominance oper-
ator describing the order. The sensitivity level is expressed as a value between 0 and 65535, with higher values reflecting higher sensitiv-
ity levels. The compartment field is expressed as a set of up to 256 components, numbered from 1 to 256. A complete label consists of both
sensitivity and compartment elements.
With normal labels, dominance is defined as a label having a higher or equal active sensitivity level, and having at least all of the same
compartments as the label to which it is being compared. With respect to label comparisons, ``lower'' is defined as being dominated by the
label to which it is being compared, and ``higher'' is defined as dominating the label to which it is being compared, and ``equal'' is
defined as both labels being able to satisfy the dominance requirements over one another.
Three special label values exist:
Label Comparison
mls/low dominated by all other labels
mls/equal equal to all other labels
mls/high dominates all other labels
The ``mls/equal'' label may be applied to subjects and objects for which no enforcement of the MLS security policy is desired.
The MLS model enforces the following basic restrictions:
o Subjects may not observe the processes of another subject if its clearance level is lower than the clearance level of the object it is
attempting to observe.
o Subjects may not read, write, or otherwise observe objects without proper clearance (e.g. subjects may not observe objects whose classi-
fication label dominates its own clearance label)
o Subjects may not write to objects with a lower classification level than its own clearance level.
o A subject may read and write to an object if its clearance level is equal to the object's classification level as though MLS protections
were not in place.
These rules prevent subjects of lower clearance from gaining access information classified beyond its clearance level in order to protect the
confidentiality of classified information, subjects of higher clearance from writing to objects of lower classification in order to prevent
the accidental or malicious leaking of information, and subjects of lower clearance from observing subjects of higher clearance altogether.
In traditional trusted operating systems, the MLS confidentiality model is used in concert with the Biba integrity model (mac_biba(4)) in
order to protect the Trusted Code Base (TCB).
Label Format
Almost all system objects are tagged with an effective, active label element, reflecting the classification of the object, or classification
of the data contained in the object. In general, object labels are represented in the following form:
mls/grade:compartments
For example:
mls/10:2+3+6
mls/low
Subject labels consist of three label elements: an effective (active) label, as well as a range of available labels. This range is repre-
sented using two ordered MLS label elements, and when set on a process, permits the process to change its active label to any label of
greater or equal integrity to the low end of the range, and lesser or equal integrity to the high end of the range. In general, subject
labels are represented in the following form:
mls/effectivegrade:effectivecompartments(lograde:locompartments-
higrade:hicompartments)
For example:
mls/10:2+3+6(5:2+3-20:2+3+4+5+6)
mls/high(low-high)
Valid ranged labels must meet the following requirement regarding their elements:
rangehigh >= effective >= rangelow
One class of objects with ranges currently exists, the network interface. In the case of the network interface, the effective label element
references the default label for packets received over the interface, and the range represents the range of acceptable labels of packets to
be transmitted over the interface.
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy.
security.mac.mls.enabled Enables the enforcement of the MLS confidentiality policy. (Default: 1).
security.mac.mls.ptys_equal Label pty(4)s as ``mls/equal'' upon creation. (Default: 0).
security.mac.mls.revocation_enabled
Revoke access to objects if the label is changed to a more sensitive level than the subject. (Default: 0).
IMPLEMENTATION NOTES
Currently, the mac_mls policy relies on superuser status (suser(9)) in order to change network interface MLS labels. This will eventually go
away, but it is currently a liability and may allow the superuser to bypass MLS protections.
SEE ALSO
mac(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4), mac_none(4), mac_partition(4), mac_portacl(4), mac_seeotheruids(4),
mac_test(4), maclabel(7), mac(9)
HISTORY
The mac_mls policy module first appeared in FreeBSD 5.0 and was developed by the TrustedBSD Project.
AUTHORS
This software was contributed to the FreeBSD Project by Network Associates Laboratories, the Security Research Division of Network Associates
Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.
BUGS
See mac(9) concerning appropriateness for production use. The TrustedBSD MAC Framework is considered experimental in FreeBSD.
While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by
entry point checks. As such, MAC Framework policies should not be relied on, in isolation, to protect against a malicious privileged user.
BSD
December 1, 2002 BSD
03-25-2009
