| Main index | Section 5 | Options |
Currently, the implementation supports two syntax styles for label element declaration. The old (deprecated) syntax consists of a single line with two fields separated by white space: the object class name, and a list of label elements as used by the mac_prepare(3) library calls prior to an application invocation of a function from mac_get(3).
The newer more preferred syntax consists of three fields separated by white space: the label group, object class name and a list of label elements.
Label element names may optionally begin with a ‘amp;?’ symbol to indicate that a failure to retrieve the label element for an object should be silently ignored, and improves usability if the set of MAC policies may change over time.
| /etc/mac.conf | |
| MAC library configuration file. | |
# # Default label set to be used by simple MAC applicationsdefault_labels file ?biba,?lomac,?mls,?sebsd default_labels ifnet ?biba,?lomac,?mls,?sebsd default_labels process ?biba,?lomac,?mls,?partition,?sebsd default_labels socket ?biba,?lomac,?mls
# # Deprecated (old) syntax
default_file_labels ?biba,?mls,?sebsd default_ifnet_labels ?biba,?mls,?sebsd default_process_labels ?biba,?mls,partition,?sebsd
In this example, userland applications will attempt to retrieve Biba, MLS, and SEBSD labels for all object classes; for processes, they will additionally attempt to retrieve a Partition identifier. In all cases except the Partition identifier, failure to retrieve a label due to the respective policy not being present will be ignored.
| MAC.CONF (5) | July 25, 2015 |
| Main index | Section 5 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
| “ | An ASCII character walks into a bar and orders a double. "Having a bad day?" asks the barman. "Yeah, I have a parity error," replies the ASCII character. The barman says, "Yeah, I thought you looked a bit off." | ” |