Before reading this chapter, a few key terms must be explained. This will hopefully clear up any confusion that may occur and avoid the abrupt introduction of new terms and information. The following terms will be used throughout this chapter:
compartment: A compartment is a a set of programs and data to be partitioned or separated, where users are given certain access to specific components of a system. Also, a compartment represents a grouping, such as a work group, department, project, or topic. Access to compartments is granted on a need-to-know basis.
label: A label is a security feature which can be applied to files, directories, and other items in the system. It could be considered to be a confidentiality stamp; when a label is placed on a file it describes the level of security for that specific file and will only permit access by files, users, resources, etc. with a similar or lesser security setting. Some of the policies can handle labels in different ways; this will be discussed in the policy sections later.
multilabel: The multilabel is a file system option which can be set in single user mode using the tunefs(8) utility; set during the boot operation using the fstab(5) file; or during the creation of a new file system. This option will permit multiple MAC labels to be placed on files and directories in the file system. This option only applies to policies which use label operations for enhanced security.
object: An object or system object is an entity through which information flows under the direction of a subject. This includes directories, files, fields, screens, keyboards, memory, magnetic storage, printers or any other data storage/moving device. Basically a data container, or a system resource; access to an object effectively means access to the data.
policy: A collection of rules which defines how objectives are to be achieved. A policy usually documents how certain items are to be handled. This chapter will consider the term policy in this context as a security policy.
single label: A single label is when the entire file system uses one label to enforce access control over the flow of data. When a file system has this set, which is any time when the multilabel option is not set, all files must conform to the same label setting.
subject: a subject is any active entity that causes information to flow between objects; e.g. a user, user processor, system process, etc.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.