mdoc(7) police: general cleanup.
This commit is contained in:
Ruslan Ermilov
parent
362502bc90
commit
25c5d2c69f
@ -31,29 +31,34 @@
|
|||||||
.\" SUCH DAMAGE.
|
.\" SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
|
.\"
|
||||||
.Dd November 20, 2001
|
.Dd November 20, 2001
|
||||||
.Dt LOMAC 4
|
.Dt LOMAC 4
|
||||||
.Os FreeBSD 5.0
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
.Nm LOMAC
|
.Nm LOMAC
|
||||||
.Nd Low-Watermark Mandatory Access Control security facility
|
.Nd Low-Watermark Mandatory Access Control security facility
|
||||||
.Sh USAGE
|
.Sh SYNOPSIS
|
||||||
.Dl # /sbin/kldload lomac
|
.Li "kldload lomac"
|
||||||
.Sh DESCRIPTION
|
.Sh DESCRIPTION
|
||||||
The
|
The
|
||||||
.Nm
|
.Nm
|
||||||
module provides a drop-in security mechanism in addition to the traditional
|
module provides a drop-in security mechanism in addition to the traditional
|
||||||
POSIX uid-based security facilities, requiring no additional configuration
|
\*[Px] UID-based security facilities, requiring no additional configuration
|
||||||
from the administrator.
|
from the administrator.
|
||||||
.Nm
|
.Nm
|
||||||
aims to be two things: it is non-intrusive, so that the system with
|
aims to be two things: it is non-intrusive, so that the system with
|
||||||
.Nm
|
.Nm
|
||||||
will not feel largely different from the system without it, and will not
|
will not feel largely different from the system without it, and will not
|
||||||
require much modification to intialize; it is also comprehensive enough
|
require much modification to initialize; it is also comprehensive enough
|
||||||
that a majority of attacks to compromise a system should fail.
|
that a majority of attacks to compromise a system should fail.
|
||||||
.Pp
|
.Pp
|
||||||
To this end, each process on the system will have a label of several
|
To this end, each process on the system will have a label of several
|
||||||
attributes, including a "high" or "low" security level, attached to it,
|
attributes, including a
|
||||||
|
.Dq high
|
||||||
|
or
|
||||||
|
.Dq low
|
||||||
|
security level, attached to it,
|
||||||
and these labels of integrity will be managed with a system cognizant
|
and these labels of integrity will be managed with a system cognizant
|
||||||
of IPC (signals, debugging, sockets, pipes), path-based filesystem
|
of IPC (signals, debugging, sockets, pipes), path-based filesystem
|
||||||
labels, virtual memory objects, and privileged system calls.
|
labels, virtual memory objects, and privileged system calls.
|
||||||
@ -77,20 +82,24 @@ or
|
|||||||
operation performed after it has been initialized.
|
operation performed after it has been initialized.
|
||||||
Pre-existing jail or chroot environments may not necessarily work
|
Pre-existing jail or chroot environments may not necessarily work
|
||||||
completely.
|
completely.
|
||||||
.Nm 's
|
.Nm Ns 's
|
||||||
filesystem should correctly respect the caching behavior of any of the
|
filesystem should correctly respect the caching behavior of any of the
|
||||||
system's filesystems, and so work for any "normal" or "synthetic"
|
system's filesystems, and so work for any
|
||||||
|
.Dq normal
|
||||||
|
or
|
||||||
|
.Dq synthetic
|
||||||
fileystems.
|
fileystems.
|
||||||
After loaded, another root
|
After loaded, another root
|
||||||
.Xr mount 8
|
.Xr mount 8
|
||||||
will exist on the system and appear as type "lomacfs".
|
will exist on the system and appear as type
|
||||||
|
.Dq lomacfs .
|
||||||
.Sh FILES
|
.Sh FILES
|
||||||
See
|
See
|
||||||
.Pa /sys/security/lomac/policy_plm.h
|
.Pa /sys/security/lomac/policy_plm.h
|
||||||
for specific information on exactly how
|
for specific information on exactly how
|
||||||
.Nm
|
.Nm
|
||||||
has been compiled to control access to the filesystem.
|
has been compiled to control access to the filesystem.
|
||||||
.Sh COMPATIBILITY
|
.Sh COMPATIBILITY
|
||||||
Some programs, for example
|
Some programs, for example
|
||||||
.Xr syslogd 8 ,
|
.Xr syslogd 8 ,
|
||||||
may need to be restarted after
|
may need to be restarted after
|
||||||
@ -110,17 +119,14 @@ Since then, this implementation was created via funding from the
|
|||||||
United States DARPA.
|
United States DARPA.
|
||||||
See the copyright for details.
|
See the copyright for details.
|
||||||
.Sh AUTHORS
|
.Sh AUTHORS
|
||||||
.Bl -item
|
.An Brian Fundakowski Feldman Aq bfeldman@tislabs.com
|
||||||
.Li An Brian Fundakowski Feldman Aq bfeldman@tislabs.com
|
.An Timothy Fraser Aq tfraser@tislabs.com
|
||||||
.Li An Timothy Fraser Aq tfraser@tislabs.com
|
|
||||||
.El
|
|
||||||
.Sh BUGS
|
.Sh BUGS
|
||||||
.Nm
|
.Nm
|
||||||
has not gone through widespread testing yet, so many problems may still exist.
|
has not gone through widespread testing yet, so many problems may still exist.
|
||||||
There is still yet one unfixed panic which is reproduceable under load
|
There is still yet one unfixed panic which is reproduceable under load
|
||||||
(
|
.Xr ( vrele 9
|
||||||
.Xr vrele 9
|
being called too many times).
|
||||||
begin called too many times).
|
|
||||||
The operation of
|
The operation of
|
||||||
.Xr mount 2
|
.Xr mount 2
|
||||||
and
|
and
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user