Date: Sun, 17 Nov 2013 05:21:11 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43200 - head/en_US.ISO8859-1/books/handbook/mac Message-ID: <201311170521.rAH5LBMQ040157@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Sun Nov 17 05:21:11 2013 New Revision: 43200 URL: http://svnweb.freebsd.org/changeset/doc/43200 Log: Collapse the various policy discussions into a single section. Discussed with: dru Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/mac/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Sat Nov 16 22:58:33 2013 (r43199) +++ head/en_US.ISO8859-1/books/handbook/mac/chapter.xml Sun Nov 17 05:21:11 2013 (r43200) @@ -763,7 +763,14 @@ test: biba/high</screen> option is called <option>multilabel</option>.</para> </sect1> - <sect1 xml:id="mac-seeotheruids"> + <sect1 xml:id="mac-policies"> + <title>Available MAC Policies</title> + + <para>&os; includes a group of policies that will cover + most security requirements. Each policy is discussed + below.</para> + + <sect2 xml:id="mac-seeotheruids"> <title>The MAC See Other UIDs Policy</title> <indexterm> @@ -816,9 +823,9 @@ test: biba/high</screen> may not be set.</para> </listitem> </itemizedlist> - </sect1> + </sect2> - <sect1 xml:id="mac-bsdextended"> + <sect2 xml:id="mac-bsdextended"> <title>The MAC BSD Extended Policy</title> <indexterm> @@ -855,7 +862,7 @@ test: biba/high</screen> module as incorrect use could block access to certain parts of the file system.</para> - <sect2> + <sect3> <title>Examples</title> <para>After the &man.mac.bsdextended.4; module has been loaded, @@ -895,10 +902,10 @@ test: biba/high</screen> <para>For more information, refer to &man.mac.bsdextended.4; and &man.ugidfw.8;</para> - </sect2> - </sect1> + </sect3> + </sect2> - <sect1 xml:id="mac-ifoff"> + <sect2 xml:id="mac-ifoff"> <title>The MAC Interface Silencing Policy</title> <indexterm> @@ -947,9 +954,9 @@ test: biba/high</screen> <package>security/aide</package> to automatically block network traffic if it finds new or altered files in protected directories.</para> - </sect1> + </sect2> - <sect1 xml:id="mac-portacl"> + <sect2 xml:id="mac-portacl"> <title>The MAC Port Access Control List Policy</title> <indexterm> @@ -1035,7 +1042,7 @@ net.inet.ip.portrange.reservedhigh=0</us <para>See the examples below or refer to &man.mac.portacl.4; for further information.</para> - <sect2> + <sect3> <title>Examples</title> <para>Since the <systemitem class="username">root</systemitem> user should not be @@ -1060,10 +1067,10 @@ net.inet.ip.portrange.reservedhigh=0</us <screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen> - </sect2> - </sect1> + </sect3> + </sect2> - <sect1 xml:id="mac-partition"> + <sect2 xml:id="mac-partition"> <title>The MAC Partition Policy</title> <indexterm> @@ -1113,7 +1120,7 @@ net.inet.ip.portrange.reservedhigh=0</us spawned by users in the <literal>insecure</literal> class will stay in the <literal>partition/13</literal> label.</para> - <sect2> + <sect3> <title>Examples</title> <para>The following command will display the partition label @@ -1143,10 +1150,10 @@ net.inet.ip.portrange.reservedhigh=0</us options, including their limitations, are further explained in the module manual pages.</para> </note> - </sect2> - </sect1> + </sect3> + </sect2> - <sect1 xml:id="mac-mls"> + <sect2 xml:id="mac-mls"> <title>The MAC Multi-Level Security Module</title> <indexterm> @@ -1277,7 +1284,7 @@ net.inet.ip.portrange.reservedhigh=0</us to <command>setfmac</command>. This method will be explained after all policies are covered.</para> - <sect2> + <sect3> <title>Planning Mandatory Sensitivity</title> <para>When using the MLS policy module, an administrator plans @@ -1302,10 +1309,10 @@ net.inet.ip.portrange.reservedhigh=0</us include an e-commerce web server, a file server holding critical company information, and financial institution environments.</para> - </sect2> - </sect1> + </sect3> + </sect2> - <sect1 xml:id="mac-biba"> + <sect2 xml:id="mac-biba"> <title>The MAC Biba Module</title> <indexterm> @@ -1419,7 +1426,7 @@ net.inet.ip.portrange.reservedhigh=0</us &prompt.root; <userinput>getfmac test</userinput> test: biba/low</screen> - <sect2> + <sect3> <title>Planning Mandatory Integrity</title> <para>Integrity, which is different from sensitivity, guarantees @@ -1457,10 +1464,10 @@ test: biba/low</screen> development and test machine, and a source code repository. A less useful implementation would be a personal workstation, a machine used as a router, or a network firewall.</para> - </sect2> - </sect1> + </sect3> + </sect2> - <sect1 xml:id="mac-lomac"> + <sect2 xml:id="mac-lomac"> <title>The MAC LOMAC Module</title> <indexterm> @@ -1495,7 +1502,7 @@ test: biba/low</screen> policy may provide for greater compatibility and require less initial configuration than Biba.</para> - <sect2> + <sect3> <title>Examples</title> <para>Like the Biba and <acronym>MLS</acronym> policies, @@ -1508,7 +1515,8 @@ test: biba/low</screen> <para>The auxiliary grade <literal>low</literal> is a feature provided only by the <acronym>MAC</acronym> LOMAC policy.</para> - </sect2> + </sect3> + </sect2> </sect1> <sect1 xml:id="mac-implementing">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201311170521.rAH5LBMQ040157>