16.9. MAC Policies with Labeling Features

16.9.1. Preparation for Labeling Policies

The following changes are required in the login.conf file:

• An insecure class, or another class of similar type, must be added. The login class of insecure is not required and just used as an example here; different configurations may use another class name.

• The insecure class should have the following settings and definitions. Several of these can be altered but the line which defines the default label is a requirement and must remain.

  insecure:\
  	:copyright=/etc/COPYRIGHT:\
  	:welcome=/etc/motd:\
  	:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
  	:path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\
  	:manpath=/usr/share/man /usr/local/man:\
  	:nologin=/usr/sbin/nologin:\
  	:cputime=1h30m:\
  	:datasize=8M:\
  	:vmemoryuse=100M:\
  	:stacksize=2M:\
  	:memorylocked=4M:\
  	:memoryuse=8M:\
  	:filesize=8M:\
  	:coredumpsize=8M:\
  	:openfiles=24:\
  	:maxproc=32:\
  	:priority=0:\
  	:requirehome:\
  	:passwordtime=91d:\
  	:umask=022:\
  	:ignoretime@:\
  	:label=partition/13,mls/5,biba/low:
  

  The cap_mkdb(1) command needs to be ran on login.conf(5) before any of the users can be switched over to the new class.

  The root username should also be placed into a login class; otherwise, almost every command executed by root will require the use of setpmac.

  警告Rebuilding the login.conf database may cause some errors later with the daemon class. Simply uncommenting the daemon account and rebuilding the database should alleviate these issues.

• Ensure that all partitions on which MAC labeling will be implemented support the multilabel. We must do this because many of the examples here contain different labels for testing purposes. Review the output from the mount command as a precautionary measure.

• Switch any users who will have the higher security mechanisms enforced over to the new user class. A quick run of pw(8) or vipw(8) should do the trick.