Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

setfsmac(8) [freebsd man page]

SETFSMAC(8)						    BSD System Manager's Manual 					       SETFSMAC(8)

NAME

     setfsmac -- set MAC label for a file hierarchy

SYNOPSIS

     setfsmac [-ehqvx] [-f specfile] ... [-s specfile] ... file ...

DESCRIPTION

     The setfsmac utility accepts a list of specification files as input and sets the MAC labels on the specified file system hierarchies.  Path
     names specified will be visited in order as given on the command line, and each tree will be traversed in pre-order.  (Generally, it will not
     be very useful to use relative paths instead of absolute paths.)  Multiple entries matching a single file will be combined and applied in a
     single transaction.

     The following options are available:

     -e      Treat any file systems encountered which do not support MAC labelling as errors, instead of warning and skipping them.

     -f specfile
	     Apply the specifications in specfile to the specified paths.  NOTE: Only the first entry for each file is applied; all others are
	     disregarded and silently dropped.	Multiple -f arguments may be specified to include multiple specification files.

     -h      When a symbolic link is encountered, change the label of the link rather than the file the link points to.

     -q      Do not print non-fatal warnings during execution.

     -s specfile
	     Apply the specifications in specfile, but assume the specification format is compatible with the SELinux specfile format.	NOTE: Only
	     the first entry for each file is applied; all others are disregarded and silently dropped.  The prefix ``sebsd/'' will be automati-
	     cally prepended to the labels in specfile.  Labels matching ``<<none>>'' will be explicitly not relabeled.  This permits SEBSD to re-
	     use existing SELinux policy specification files.

     -v      Increase the degree of verbosity.

     -x      Do not recurse into new file systems when traversing them.

FILES

     /usr/share/security/lomac-policy.contexts	Sample specfile containing LOMAC policy entries.

EXAMPLES

     See FILES.

SEE ALSO

     mac(3), mac_set_file(3), mac_set_link(3), mac(4), re_format(7), getfmac(8), setfmac(8), mac(9)

AUTHORS

     This software was contributed to the FreeBSD Project by Network Associates Labs, the Security Research Division of Network Associates Inc.
     under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.

BSD
								 February 17, 2004							       BSD

Check Out this Related Man Page

MAC_PARTITION(4)					   BSD Kernel Interfaces Manual 					  MAC_PARTITION(4)

NAME

     mac_partition -- process partition policy

SYNOPSIS

     To compile the process partition policy into your kernel, place the following lines in your kernel configuration file:

	   options MAC
	   options MAC_PARTITION

     Alternately, to load the process partition module at boot time, place the following line in your kernel configuration file:

	   options MAC

     and in loader.conf(5):

	   mac_partition_load="YES"

DESCRIPTION

     The mac_partition policy module implements a process partition policy, which allows administrators to place running processes into
     ``partitions'', based on their numeric process partition (specified in the process's MAC label).  Processes with a specified partition can
     only see processes that are in the same partition.  If no partition is specified for a process, it can see all other processes in the system
     (subject to other MAC policy restrictions not defined in this man page).  No provisions for placing processes into multiple partitions are
     available.

   Label Format
     Partition labels take on the following format:

	   partition/value

     Where value can be any integer value or ``none''.	For example:

	   partition/1
	   partition/20
	   partition/none

SEE ALSO

     mac(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_lomac(4), mac_mls(4), mac_none(4), mac_portacl(4), mac_seeotheruids(4),
     mac_test(4), maclabel(7), mac(9)

HISTORY

     The mac_partition policy module first appeared in FreeBSD 5.0 and was developed by the TrustedBSD Project.

AUTHORS

     This software was contributed to the FreeBSD Project by Network Associates Labs, the Security Research Division of Network Associates Inc.
     under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.

BUGS

     See mac(9) concerning appropriateness for production use.	The TrustedBSD MAC Framework is considered experimental in FreeBSD.

     While the MAC Framework design is intended to support the containment of the root user, not all attack channels are currently protected by
     entry point checks.  As such, MAC Framework policies should not be relied on, in isolation, to protect against a malicious privileged user.

BSD
								 December 9, 2002							       BSD
Man Page