Assorted mdoc(7) fixes.

2003-06-01 21:52:59 +00:00 · 2003-06-01 21:52:59 +00:00 · 3cc3bf5282
commit 3cc3bf5282
parent d7ea49283c
11 changed files with 312 additions and 194 deletions
--- a/share/man/man4/mac.4
+++ b/share/man/man4/mac.4
@ -29,7 +29,8 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd JANUARY 8, 2003
+.\"
 .Dd January 8, 2003
 .Os
 .Dt MAC 4
 .Sh NAME
@ -44,7 +45,8 @@ finely control system security by providing for a loadable security policy
 architecture.
 It is important to note that due to its nature, MAC security policies may
 only restrict access relative to one another and the base system policy;
-they cannot override traditional UNIX
+they cannot override traditional
 .Ux
 security provisions such as file permissions and superuser checks.
 .Pp
 Currently, the following MAC policy modules are shipped with
@ -95,10 +97,10 @@ To set the
 flag, drop to single-user mode and unmount the file system,
 then execute the following command:
 .Pp
-.Dl "tunefs -l enable" Sy filesystem
+.Dl "tunefs -l enable" Ar filesystem
 .Pp
 where
-.Sy filesystem
+.Ar filesystem
 is either the mount point
 (in
 .Xr fstab 5 )
@ -113,7 +115,7 @@ policies
 .Sx "Runtime Configuration" ) .
 Policy enforcement is divided into the following areas of the system:
 .Bl -ohang
-.It Sy File System
+.It Sy "File System"
 File system mounts, modifying directories, modifying files, etc.
 .It Sy KLD
 Loading, unloading, and retrieving statistics on loaded kernel modules
@ -130,38 +132,32 @@ Creation of and operation on
 objects
 .It Sy Processes
 Debugging
-(e.g.
+(e.g.\&
 .Xr ktrace 2 ) ,
 process visibility
-.Xr ( ps 1 ) ,
+.Pq Xr ps 1 ,
 process execution
-.Xr ( execve 2 ) ,
+.Pq Xr execve 2 ,
 signalling
-.Xr ( kill 2 )
+.Pq Xr kill 2
 .It Sy Sockets
 Creation of and operation on
 .Xr socket 2
 objects
 .It Sy System
 Kernel environment
-.Xr ( kenv 1 ) ,
+.Pq Xr kenv 1 ,
 system accounting
-.Xr ( acct 2 ) ,
+.Pq Xr acct 2 ,
 .Xr reboot 2 ,
 .Xr settimeofday 2 ,
 .Xr swapon 2 ,
 .Xr sysctl 3 ,
-.Sm off
+.Xr nfsd 8 Ns
-.Xr nfsd 8 -
+-related operations
 related
 .Sm on
 operations
 .It Sy VM
-.Sm off
+.Xr mmap 2 Ns
-.Xr mmap 2 -
+-ed files
 ed
 .Sm on
 files
 .El
 .Ss Setting MAC Labels
 From the command line, each type of system object has its own means for setting
@ -195,51 +191,50 @@ man page.
 The following
 .Xr sysctl 8
 MIBs are available for fine-tuning the enforcement of MAC policies.
-Unless specifically noted, all MIBs default to
+Unless specifically noted, all MIBs default to 1
 .Li 1
 (that is, all areas are enforced by default):
-.Bl -tag -width "security.mac.enforce_network"
+.Bl -tag -width ".Va security.mac.enforce_network"
 .It Va security.mac.enforce_fs
-Enforce MAC policies for file system accesses
+Enforce MAC policies for file system accesses.
 .It Va security.mac.enforce_kld
 Enforce MAC policies on
-.Xr kld 4
+.Xr kld 4 .
 .It Va security.mac.enforce_network
-Enforce MAC policies on network interfaces
+Enforce MAC policies on network interfaces.
 .It Va security.mac.enforce_pipe
-Enforce MAC policies on pipes
+Enforce MAC policies on pipes.
 .It Va security.mac.enforce_process
 Enforce MAC policies between system processes
-(e.g.
+(e.g.\&
 .Xr ps 1 ,
-.Xr ktrace 2 )
+.Xr ktrace 2 ) .
 .It Va security.mac.enforce_socket
-Enforce MAC policies on sockets
+Enforce MAC policies on sockets.
 .It Va security.mac.enforce_system
 Enforce MAC policies on system-related items
-(e.g.
+(e.g.\&
 .Xr kenv 1 ,
 .Xr acct 2 ,
-.Xr reboot 2 )
+.Xr reboot 2 ) .
 .It Va security.mac.enforce_vm
 Enforce MAC policies on
 .Xr mmap 2
 and
-.Xr mprotect 2
+.Xr mprotect 2 .
 .\" *** XXX ***
 .\" Support for this feature is poor and should not be encouraged.
 .\"
 .\" .It Va security.mac.mmap_revocation
 .\" Revoke
 .\" .Xr mmap 2
-.\" access to files on subject relabel
+.\" access to files on subject relabel.
 .\" .It Va security.mac.mmap_revocation_via_cow
 .\" Revoke
 .\" .Xr mmap 2
 .\" access to files via copy-on-write semantics;
 .\" mapped regions will still appear writable, but will no longer
-.\" effect a change on the underlying vnode
+.\" effect a change on the underlying vnode.
-.\" (Default: 0)
+.\" (Default: 0).
 .El
 .Sh SEE ALSO
 .Xr mac 3 ,
@ -253,36 +248,41 @@ and
 .Xr mac_portacl 4 ,
 .Xr mac_seeotheruids 4 ,
 .Xr mac_test 4 ,
-.Xr login.5 ,
+.Xr login.conf 5 ,
 .Xr maclabel 7 ,
 .Xr getfmac 8 ,
 .Xr setfmac 8 ,
 .Xr getpmac 8 ,
 .Xr setfmac 8 ,
 .Xr setpmac 8 ,
 .Xr mac 9
 .Rs
 .%B "The FreeBSD Handbook"
 .%T "Mandatory Access Control"
-.%O http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html
+.%O http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mac.html
 .Re
 .Sh HISTORY
 The
 .Nm
 implementation first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_biba.4
+++ b/share/man/man4/mac_biba.4
@ -29,25 +29,32 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd NOVEMBER 18, 2002
+.\"
 .Dd November 18, 2002
 .Os
 .Dt MAC_BIBA 4
 .Sh NAME
 .Nm mac_biba
-.Nd Biba data integrity policy
+.Nd "Biba data integrity policy"
 .Sh SYNOPSIS
 To compile Biba into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_BIBA"
 .Ed
 .Pp
 Alternately, to load the Biba module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_biba_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_biba_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -66,28 +73,30 @@ components, numbered from 0 to 255.
 A complete label consists of both hierarchal and non-hierarchal elements.
 .Pp
 Three special label values exist:
-.Bl -column -offset indent "biba/equal" "lower than all other labels"
+.Bl -column -offset indent ".Li biba/equal" "lower than all other labels"
 .It Sy Label Ta Sy Comparison
-.It Li biba/low Ta lower than all other labels
+.It Li biba/low Ta "lower than all other labels"
-.It Li biba/equal Ta equal to all other labels
+.It Li biba/equal Ta "equal to all other labels"
-.It Li biba/high Ta higher than all other labels
+.It Li biba/high Ta "higher than all other labels"
 .El
 .Pp
 The
-.Dq biba/high
+.Dq Li biba/high
 label is assigned to system objects which affect the integrity of the system
 as a whole.
-.Dq biba/equal
+The
 .Dq Li biba/equal
 label
 may be used to indicate that a particular subject or object is exempt from
 the Biba protections.
 These special label values are not specified as containing any compartments,
 although in a label comparison,
-.Dq biba/high
+.Dq Li biba/high
 appears to contain all compartments,
-.Dq biba/equal
+.Dq Li biba/equal
 the same compartments as the other label to which it is being compared,
 and
-.Dq biba/low
+.Dq Li biba/low
 none.
 .Pp
 In general, Biba access control takes the following model:
@ -137,7 +146,9 @@ reflecting the integrity of the object, or integrity of the data contained
 in the object.
 In general, objects labels are represented in the following form:
 .Pp
-.Dl biba/grade:compartments
+.Sm off
 .D1 Li biba / Ar grade : compartments
 .Sm on
 .Pp
 For example:
 .Pp
@ -154,8 +165,10 @@ greater or equal integrity to the low end of the range, and lesser or equal
 integrity to the high end of the range.
 In general, subject labels are represented in the following form:
 .Pp
-.Dl biba/singlegrade:singlecompartments(lograde:locompartments-
+.Sm off
-.Dl higrade:hicompartments)
+.D1 Li biba / Ar singlegrade : singlecompartments ( lograde : locompartments -
 .D1 Ar higrade : hicompartments )
 .Sm on
 .Pp
 For example:
 .Bd -literal -offset indent
@ -166,7 +179,7 @@ biba/high(low-high)
 Valid ranged labels must meet the following requirement regarding their
 elements:
 .Pp
-.Dl rangehigh >= single >= rangelow
+.D1 Ar rangehigh No \[>=] Ar single No \[>=] Ar rangelow
 .Pp
 One class of objects with ranges currently exists, the network interface.
 In the case of the network interface, the single label element references the
@ -177,23 +190,20 @@ the interface.
 The following
 .Xr sysctl 8
 MIBs are available for fine-tuning the enforcement of this MAC policy.
-.Bl -tag -width 'security.mac.biba.ptys_equal'
+.Bl -tag -width ".Va security.mac.biba.ptys_equal"
 .It Va security.mac.biba.enabled
-Enables enforcement of the Biba integrity policy
+Enables enforcement of the Biba integrity policy.
-(Default: 1)
+(Default: 1).
 .It Va security.mac.biba.ptys_equal
 Label
-.Sm off
+.Xr pty 4 Ns s
 .Xr pty 4
 s
 .Sm on
 as
-.Dq biba/equal
+.Dq Li biba/equal
-upon creation
+upon creation.
-(Default: 0)
+(Default: 0).
 .It Va security.mac.biba.revocation_enabled
-Revoke access to objects if the label is changed to dominate the subject
+Revoke access to objects if the label is changed to dominate the subject.
-(Default: 0)
+(Default: 0).
 .El
 .Sh SEE ALSO
 .Xr lomac 4 ,
@ -214,11 +224,14 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
--- a/share/man/man4/mac_bsdextended.4
+++ b/share/man/man4/mac_bsdextended.4
@ -29,25 +29,32 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd OCTOBER 16, 2002
+.\"
 .Dd October 16, 2002
 .Os
 .Dt MAC_BSDEXTENDED 4
 .Sh NAME
 .Nm mac_bsdextended
-.Nd file system firewall policy
+.Nd "file system firewall policy"
 .Sh SYNOPSIS
 To compile the file system firewall policy into your kernel,
 place the following lines in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_BSDEXTENDED"
 .Ed
 .Pp
 Alternately, to load the file system firewall policy module at boot time,
 place the following line in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_bsdextended_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_bsdextended_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -91,10 +98,13 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by NAI Labs, the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
--- a/share/man/man4/mac_ifoff.4
+++ b/share/man/man4/mac_ifoff.4
@ -29,26 +29,33 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 10, 2002
+.\"
 .Dd December 10, 2002
 .Os
 .Dt MAC_IFOFF 4
 .Sh NAME
 .Nm mac_ifoff
-.Nd interface silencing policy
+.Nd "interface silencing policy"
 .Sh SYNOPSIS
 To compile the interface silencing policy into your kernel,
 place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_IFOFF"
 .Ed
 .Pp
 Alternately, to load the interface silencing policy module at boot time,
 place the following line in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_ifoff_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_ifoff_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -59,25 +66,19 @@ via the
 interface.
 .Pp
 To disable network traffic over the loopback
-.Xr ( lo 4 )
+.Pq Xr lo 4
 interface, set the
 .Xr sysctl 8
 OID
 .Va security.mac.ifoff.lo_enabled
-to
+to 0 (default 1).
 .Li 0
 (default
 .Li 1 ) .
 .Pp
 To enable network traffic over other interfaces,
 set the
 .Xr sysctl 8
 OID
 .Va security.mac.ifoff.other_enabled
-to
+to 1 (default 0).
 .Li 1
 (default
 .Li 0 ) .
 .Pp
 To allow BPF traffic to be received,
 even while other traffic is disabled,
@ -85,10 +86,7 @@ set the
 .Xr sysctl 8
 OID
 .Va security.mac.ifoff.bpfrecv_enabled
-to
+to 1 (default 0).
 .Li 1
 (default
 .Li 0 ) .
 .Ss Label Format
 No labels are defined.
 .Sh SEE ALSO
@ -108,19 +106,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_lomac.4
+++ b/share/man/man4/mac_lomac.4
@ -29,25 +29,32 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
 .\"
 .Dd December 11, 2002
 .Os
 .Dt MAC_LOMAC 4
 .Sh NAME
 .Nm mac_lomac
-.Nd Low-watermark Mandatory Access Control data integrity policy
+.Nd "Low-watermark Mandatory Access Control data integrity policy"
 .Sh SYNOPSIS
 To compile LOMAC into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_LOMAC"
 .Ed
 .Pp
 Alternately, to load the LOMAC module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_lomac_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_lomac_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -68,20 +75,22 @@ with higher values reflecting higher integrity.
 Three special label component values exist:
 .Bl -column -offset indent ".Sy Label" "dominated by all other labels"
 .It Sy Label Ta Sy Comparison
-.It Li low Ta dominated by all other labels
+.It Li low Ta "dominated by all other labels"
-.It Li equal Ta equal to all other labels
+.It Li equal Ta "equal to all other labels"
-.It Li high Ta dominates all other labels
+.It Li high Ta "dominates all other labels"
 .El
 .Pp
 The
-.Dq high
+.Dq Li high
 label is assigned to system objects which affect the integrity of the system
 as a whole.
-.Dq equal
+The
 .Dq Li equal
 label
 may be used to indicate that a particular subject or object is exempt from
 the LOMAC protections.
 For example, a label of
-.Dq lomac/equal(equal-equal)
+.Dq Li lomac/equal(equal-equal)
 might be used on a subject which is to be used to administratively relabel
 anything on the system.
 .Pp
@ -94,7 +103,9 @@ directory or the alternate label assumed by the subject upon execution of
 an executable.
 In general, objects labels are represented in the following form:
 .Pp
-.Dl lomac/ Ns Sy grade Ns [ Sy auxgrade ]
+.Sm off
 .D1 Li lomac / Ar grade Bq Ar auxgrade
 .Sm on
 .Pp
 For example:
 .Pp
@ -111,21 +122,29 @@ greater or equal integrity to the low end of the range, and lesser or equal
 integrity to the high end of the range.
 In general, subject labels are represented in the following form:
 .Pp
-.Dl lomac/ Ns Sy singlegrade Ns ( Sy lograde Ns - Ns Sy higrade )
+.Sm off
 .D1 Li lomac / Ar singlegrade ( lograde No - Ar higrade )
 .Sm on
 .Pp
 Modification of objects is restricted to access via the following comparison:
 .Pp
-.Dl subject::higrade >= target-object::grade
+.D1 Ar subject Ns :: Ns Ar higrade No \[>=] Ar target-object Ns :: Ns Ar grade
 .Pp
 Modification of subjects is the same, as the target subject's single grade
 is the only element taken into comparison.
 .Pp
 Demotion of a subject occurs when the following comparison is true:
 .Pp
-.Dl subject::singlegrade > object::grade
+.D1 Ar subject Ns :: Ns Ar singlegrade No > Ar object Ns :: Ns Ar grade
 .Pp
-When demotion occurs, the subject's singlegrade and higrade are reduced to the
+When demotion occurs, the subject's
-object's grade, as well as the lograde if necessary.
+.Ar singlegrade
 and
 .Ar higrade
 are reduced to the
 object's grade, as well as the
 .Ar lograde
 if necessary.
 When the demotion occurs, in addition to the permission of the subject being
 reduced, shared
 .Xr mmap 2
@ -133,7 +152,8 @@ objects which it has opened in its memory space may be revoked according to
 the following
 .Xr sysctl 2
 variables:
-.Bl -bullet
+.Pp
 .Bl -bullet -compact
 .It
 .Va security.mac.lomac.revocation_enabled
 .It
@ -146,7 +166,7 @@ variables:
 .Pp
 Upon execution of a file, if the executable has an auxiliary label, and that
 label is within the current range of
-.Sy lograde-higrade ,
+.Ar lograde Ns - Ns Ar higrade ,
 it will be assumed by the subject immediately.
 After this, demotion is performed just as with any other read operation, with
 the executable as the target.
@ -188,11 +208,14 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
--- a/share/man/man4/mac_mls.4
+++ b/share/man/man4/mac_mls.4
@ -29,25 +29,32 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 1, 2002
+.\"
 .Dd December 1, 2002
 .Os
 .Dt MAC_MLS 4
 .Sh NAME
 .Nm mac_mls
-.Nd Multi-Level Security confidentiality policy
+.Nd "Multi-Level Security confidentiality policy"
 .Sh SYNOPSIS
 To compile MLS into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_MLS"
 .Ed
 .Pp
 Alternately, to load the MLS module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_mls_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_mls_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -74,26 +81,26 @@ With normal labels, dominance is defined as a label having a higher
 or equal active sensitivity level, and having at least
 all of the same compartments as the label to which it is being compared.
 With respect to label comparisons,
-.Dq lower
+.Dq Li lower
 is defined as being dominated by the label to which it is being compared,
 and
-.Dq higher
+.Dq Li higher
 is defined as dominating the label to which it is being compared,
 and
-.Dq equal
+.Dq Li equal
 is defined as both labels being able to satisfy the dominance requirements
 over one another.
 .Pp
 Three special label values exist:
-.Bl -column -offset indent "mls/equal" "dominated by all other labels"
+.Bl -column -offset indent ".Li mls/equal" "dominated by all other labels"
 .It Sy Label Ta Sy Comparison
-.It Li mls/low Ta dominated by all other labels
+.It Li mls/low Ta "dominated by all other labels"
-.It Li mls/equal Ta equal to all other labels
+.It Li mls/equal Ta "equal to all other labels"
-.It Li mls/high Ta dominates all other labels
+.It Li mls/high Ta "dominates all other labels"
 .El
 .Pp
 The
-.Dq mls/equal
+.Dq Li mls/equal
 label may be applied to subjects and objects for which no enforcement of the
 MLS security policy is desired.
 .Pp
@ -132,10 +139,11 @@ reflecting the classification of the object, or classification of the data
 contained in the object.
 In general, object labels are represented in the following form:
 .Pp
-.Dl mls/grade:compartments
+.Sm off
 .D1 Li mls / Ar grade : compartments
 .Sm on
 .Pp
 For example:
 .Pp
 .Bd -literal -offset indent
 mls/10:2+3+6
 mls/low
@ -149,8 +157,10 @@ greater or equal integrity to the low end of the range, and lesser or equal
 integrity to the high end of the range.
 In general, subject labels are represented in the following form:
 .Pp
-.Dl mls/singlegrade:singlecompartments(lograde:locompartments-
+.Sm off
-.Dl higrade:hicompartments)
+.D1 Li mls / Ar singlegrade : singlecompartments ( lograde : locompartments No -
 .D1 Ar higrade : hicompartments )
 .Sm on
 .Pp
 For example:
 .Bd -literal -offset indent
@ -161,7 +171,7 @@ mls/high(low-high)
 Valid ranged labels must meet the following requirement regarding their
 elements:
 .Pp
-.Dl rangehigh >= single >= rangelow
+.D1 Ar rangehigh No \[>=] Ar single No \[>=] Ar rangelow
 .Pp
 One class of objects with ranges currently exists, the network interface.
 In the case of the network interface, the single label element references
@ -172,30 +182,27 @@ the interface.
 The following
 .Xr sysctl 8
 MIBs are available for fine-tuning the enforcement of this MAC policy.
-.Bl -tag -width security.mac.mls.enabled
+.Bl -tag -width ".Va security.mac.mls.ptys_equal"
 .It Va security.mac.mls.enabled
-Enables the enforcement of the MLS confidentiality policy
+Enables the enforcement of the MLS confidentiality policy.
-(Default: 1)
+(Default: 1).
 .It Va security.mac.mls.ptys_equal
 Label
-.Sm off
+.Xr pty 4 Ns s
 .Xr pty 4
 s
 .Sm on
 as
-.Dq mls/equal
+.Dq Li mls/equal
-upon creation
+upon creation.
-(Default: 0)
+(Default: 0).
 .It Va security.mac.mls.revocation_enabled
 Revoke access to objects if the label is changed to a more sensitive
-level than the subject
+level than the subject.
-(Default: 0)
+(Default: 0).
 .El
 .Sh IMPLEMENTATION NOTES
 Currently, the
 .Nm
 policy relies on superuser status
-.Xr ( suser 9 )
+.Pq Xr suser 9
 in order to change network interface MLS labels.
 This will eventually go away, but it is currently a liability and may
 allow the superuser to bypass MLS protections.
@ -218,19 +225,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Laboratories,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_none.4
+++ b/share/man/man4/mac_none.4
@ -29,26 +29,33 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 1, 2002
+.\"
 .Dd December 1, 2002
 .Os
 .Dt MAC_NONE 4
 .Sh NAME
 .Nm mac_none
-.Nd sample MAC policy module
+.Nd "sample MAC policy module"
 .Sh SYNOPSIS
 To compile the sample policy
 into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_NONE"
 .Ed
 .Pp
 Alternately, to load the sample module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_none_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_none_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -76,19 +83,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_partition.4
+++ b/share/man/man4/mac_partition.4
@ -29,26 +29,33 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 9, 2002
+.\"
 .Dd December 9, 2002
 .Os
 .Dt MAC_PARTITION 4
 .Sh NAME
 .Nm mac_partition
-.Nd process partition policy
+.Nd "process partition policy"
 .Sh SYNOPSIS
 To compile the process partition policy into your kernel,
 place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_PARTITION"
 .Ed
 .Pp
 Alternately, to load the process partition module at boot time,
 place the following line in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_partition_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_partition_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -62,18 +69,19 @@ same partition.
 If no partition is specified for a process, it can see all other processes
 in the system
 (subject to other MAC policy restrictions not defined in this man page).
-No provisions for placing processes into multiple partitions is available.
+No provisions for placing processes into multiple partitions are available.
 .Ss Label Format
 Partition labels take on the following format:
 .Pp
-.Dl partition/ Ns Sy value
+.Sm off
 .Dl Li partition / Ar value
 .Sm on
 .Pp
 Where
-.Sy value
+.Ar value
 can be any integer value or
-.Dq none .
+.Dq Li none .
 For example:
 .Pp
 .Bd -literal -offset indent
 partition/1
 partition/20
@ -98,19 +106,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_seeotheruids.4
+++ b/share/man/man4/mac_seeotheruids.4
@ -29,26 +29,33 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 8, 2002
+.\"
 .Dd December 8, 2002
 .Os
 .Dt MAC_SEEOTHERUIDS 4
 .Sh NAME
 .Nm mac_seeotheruids
-.Nd simple policy controlling whether users see other users
+.Nd "simple policy controlling whether users see other users"
 .Sh SYNOPSIS
-To compile the mac_seeotheruids
+To compile the
 policy into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_SEEOTHERUIDS"
 .Ed
 .Pp
 Alternately, to load the module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf.5 :
-.Cd mac_seeotheruids_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_seeotheruids_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -59,23 +66,19 @@ To enable
 .Nm ,
 set the sysctl OID
 .Va security.mac.seeotheruids.enabled
-to
+to 1.
 .Li 1 .
 .Pp
 To allow users to see processes and sockets owned by the same primary group,
 set the sysctl OID
 .Va security.mac.seeotheruids.primarygroup_enabled
-to
+to 1.
 .Li 1 .
 .Pp
 To allow processes with a specific group ID to be exempt from the policy,
 set the sysctl OID
 .Va security.mac.seeotheruids.specificgid_enabled
-to
+to 1, and
 .Li 1 ,
 and
 .Va security.mac.seeotheruids.specificgid
-to the gid to be exempted.
+to the group ID to be exempted.
 .Ss Label Format
 No labels are defined for
 .Nm .
@ -86,9 +89,9 @@ No labels are defined for
 .Xr mac_ifoff 4 ,
 .Xr mac_lomac 4 ,
 .Xr mac_mls 4 ,
 .Xr mac_none 4 ,
 .Xr mac_partition 4 ,
 .Xr mac_portacl 4 ,
 .Xr mac_none 4 ,
 .Xr mac_test 4 ,
 .Xr mac 9
 .Sh HISTORY
@ -96,19 +99,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_stub.4
+++ b/share/man/man4/mac_stub.4
@ -29,26 +29,33 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 1, 2002
+.\"
 .Dd December 1, 2002
 .Os
 .Dt MAC_NONE 4
 .Sh NAME
 .Nm mac_none
-.Nd sample MAC policy module
+.Nd "sample MAC policy module"
 .Sh SYNOPSIS
 To compile the sample policy
 into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_NONE"
 .Ed
 .Pp
 Alternately, to load the sample module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf 5 :
-.Cd mac_none_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_none_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -76,19 +83,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of
--- a/share/man/man4/mac_test.4
+++ b/share/man/man4/mac_test.4
@ -29,7 +29,8 @@
 .\" SUCH DAMAGE.
 .\"
 .\" $FreeBSD$
-.Dd DECEMBER 1, 2002
+.\"
 .Dd December 1, 2002
 .Os
 .Dt MAC_TEST 4
 .Sh NAME
@ -39,16 +40,22 @@
 To compile the testing policy
 into your kernel, place the following lines in your kernel
 configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Cd "options MAC_TEST"
 .Ed
 .Pp
 Alternately, to load the testing module at boot time, place the following line
 in your kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "options MAC"
 .Ed
 .Pp
 and in
 .Xr loader.conf.5 :
-.Cd mac_test_load= Ns \&"YES"
+.Bd -literal -offset indent
 mac_test_load="YES"
 .Ed
 .Sh DESCRIPTION
 The
 .Nm
@ -82,19 +89,24 @@ The
 .Nm
 policy module first appeared in
 .Fx 5.0
-and was developed by the TrustedBSD Project.
+and was developed by the
 .Tn TrustedBSD
 Project.
 .Sh AUTHORS
 This software was contributed to the
 .Fx
 Project by Network Associates Labs,
 the Security Research Division of Network Associates
-Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+Inc. under DARPA/SPAWAR contract N66001-01-C-8035
 .Pq Dq CBOSS ,
 as part of the DARPA CHATS research program.
 .Sh BUGS
 See
 .Xr mac 9
 concerning appropriateness for production use.
-The TrustedBSD MAC Framework is considered experimental in
+The
 .Tn TrustedBSD
 MAC Framework is considered experimental in
 .Fx .
 .Pp
 While the MAC Framework design is intended to support the containment of