Hook up a sample LOMAC labeling policy. Unlike the old LOMAC module,

the file system initial labeling policy exists in userland, and is fed into setfsmac(1). This is based on the old LOMAC PLM. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
svn path=/head/; revision=107549
2024-11-29 08:08:37 +00:00 · 2002-12-03 15:16:10 +00:00 · 2002-12-03 15:16:10 +00:00 · df9bd3e90c · 2020-12-20 02:59:44 +00:00
commit df9bd3e90c
parent c3a04e1ea4
1 changed files with 29 additions and 0 deletions
--- a/share/security/lomac-policy.contexts
+++ b/share/security/lomac-policy.contexts
@ -0,0 +1,29 @@
+# $FreeBSD$
+#
+# This is a sample LOMAC policy based upon the PLM defined in the
+# original FreeBSD LOMAC port.  It may be configured on a
+# system via setfsmac(8).
+
+.*				lomac/high
+/sbin/dhclient			lomac/high[low]
+/dev(/.*)?			lomac/equal
+# This is not an exhaustive list of all "privileged" devices.
+/dev/mdctl			lomac/high
+/dev/pci			lomac/high
+/dev/k?mem			lomac/high
+/dev/io				lomac/high
+/dev/agp.*			lomac/high
+(/var)?/tmp(/.*)?		lomac/equal
+/tmp/\.X11-unix			lomac/high[equal]
+/tmp/\.X11-unix/.*		lomac/equal
+/proc(/.*)?			lomac/equal
+/mnt.*				lomac/low
+(/usr)?/home			lomac/high[low]
+(/usr)?/home/.*			lomac/low
+/var/mail(/.*)?			lomac/low
+/var/spool/mqueue(/.*)?		lomac/low
+(/mnt)?/cdrom(/.*)?		lomac/high
+(/usr)?/home/(ftp|samba)(/.*)?	lomac/high
+/var/log/sendmail\.st		lomac/low
+/var/run/utmp			lomac/equal
+/var/log/(lastlog|wtmp)		lomac/equal