Lines Matching +full:system +full:- +full:control
7 - The Elevator, from Dark Star
9 Smack is the Simplified Mandatory Access Control Kernel.
11 control that includes simplicity in its primary design goals.
13 Smack is not the only Mandatory Access Control scheme
14 available for Linux. Those new to Mandatory Access Control
21 - The kernel
22 - Basic utilities, which are helpful but not required
23 - Configuration data
35 Smack is used in the Tizen operating system. Please
41 git://github.com/smack-team/smack.git
85 Used to make access control decisions. In almost all cases
110 Use the Smack label in this attribute for access control
115 Use the Smack label in this attribute for access control
120 # attr -S -s SMACK64 -V "value" path
121 # chsmack -a value path
128 in the smackfs filesystem. This pseudo-filesystem is mounted
153 change-rule
154 This interface allows modification of existing access control rules.
162 "rwxat-". If a rule for a given subject and object exists it will be
179 "level-3-cats-5-19 3 2 5 19"
191 "level-3-cats-5-19 3 2 5 19"
212 If label is "-DELETE" a matched entry will be deleted.
217 This interface allows access control rules in addition to
218 the system defined rules to be specified. The format accepted
225 string may contain only the characters "rwxat-", and specifies
226 which sort of access is allowed. The "-" is a placeholder for
227 permissions that are not allowed. The string "r-x--" would
232 This interface allows access control rules in addition to
233 the system defined rules to be specified. The format accepted
240 string may contain only the characters "rwxat-", and specifies
241 which sort of access is allowed. The "-" is a placeholder for
242 permissions that are not allowed. The string "r-x--" would
245 load-self
246 Provided for backward compatibility. The load-self2 interface
254 load-self2
278 If the label specified is "-CIPSO" the address is treated
286 by spaces, to the file or cleared by writing "-" to the file.
291 0 - default:
294 object. For the ``PTRACE_ATTACH`` a read-write access is required.
296 1 - exact:
301 2 - draconian:
305 revoke-subject
306 Writing a Smack label here sets the access to '-' for all access
314 is dangerous and can ruin the proper labeling of your system.
317 relabel-self
326 by spaces, to the file or cleared by writing "-" to the file.
337 Look for additional programs on http://schaufler-ca.com
339 The Simplified Mandatory Access Control Kernel (Whitepaper)
343 casey@schaufler-ca.com
345 Mandatory Access Control
346 ------------------------
352 control mechanisms because the access control is specified at the discretion
355 access control mechanisms because you don't have a choice regarding the users
359 ---------------
362 Control (MAC) was very closely associated with the Bell & LaPadula security
369 -----------------------
375 maintain this scheme and the detailed understanding of the whole system
380 -----
382 Smack is a Mandatory Access Control mechanism designed to provide useful MAC
385 according to the requirements of the system and its purpose rather than those
391 -----------------
399 A subject is an active entity on the computer system.
404 An object is a passive entity on the computer system.
412 Data that identifies the Mandatory Access Control
420 violate an aspect of the system security policy, as identified by
426 A task that is allowed to violate the system security
432 ------------
434 Smack is an extension to a Linux system. It enforces additional restrictions
442 long, but keeping them to twenty-three characters is recommended.
448 (quote) and '"' (double-quote) characters.
449 Smack labels cannot begin with a '-'. This is reserved for special options.
459 Every task on a Smack system is assigned a label. The Smack label
460 of a process will usually be assigned by the system initialization
510 subject-label object-label access
512 Where subject-label is the Smack label of the task, object-label is the Smack
522 b: indicates that the rule should be reported for bring-up.
534 Closed Off -
544 valid letters (rwxatbRWXATB) and the dash ('-') character are allowed in
545 access specifications. The dash is a placeholder, so "a-r" is the same
554 access control models is not one of them. Smack strives to treat accesses as
558 File system objects including files, directories, named pipes, symbolic links,
580 Process objects reflect tasks on the system and the Smack label used to access
582 attempts. Sending a signal via the kill() system call is a write operation
595 system startup. The contents are written to the special file
627 As mentioned before, Smack enforces access control on network protocol
640 values used by the system handle all internal cases. Smack will compose CIPSO
642 intervention. Unlabeled packets that come into the system will be given the
645 Smack requires configuration in the case where packets from a system that is
647 Solaris system, but there are other, less widely deployed systems out there.
651 Smack system must match that of the remote system or packets will be
716 A special label '@' and an option '-CIPSO' can be used there::
719 -CIPSO means standard CIPSO networking
723 echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel
729 echo 127.0.0.1 -CIPSO > /sys/fs/smackfs/netlabel
730 echo 192.168.0.0/16 -CIPSO > /sys/fs/smackfs/netlabel
734 ------------------------------
736 There are three sorts of applications that will run on a Smack system. How an
741 ---------------------------
749 ---------------------------
756 ----------------------------
759 the enforcement of system policy. In most cases these are the programs that
763 File System Interfaces
764 ----------------------
766 Smack maintains labels on file system objects using extended attributes. The
767 Smack label of a file, directory, or other file system object can be obtained
773 process can set the Smack label of a file system object with setxattr(2)::
782 -----------------
801 --------------
811 file system if it lacks the Smack extended attribute.
825 These mount options apply to all file system types.
828 --------------
846 ------------
849 configuration and system bringup easier. Configure the kernel with