Subversion Repositories general

Rev

Rev 1119 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
1119 dev 1
.\" Copyright 2005, Anatoli Klassen <anatoli@aksoft.net>
2
.\" All rights reserved.
3
.\"
4
.\" Redistribution and use in source and binary forms, with or without
5
.\" modification, are permitted provided that the following conditions
6
.\" are met:
7
.\" 1. Redistributions of source code must retain the above copyright
8
.\"    notice, this list of conditions and the following disclaimer.
9
.\" 2. Redistributions in binary form must reproduce the above copyright
10
.\"    notice, this list of conditions and the following disclaimer in the
11
.\"    documentation and/or other materials provided with the distribution.
12
.\"
13
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23
.\" SUCH DAMAGE.
24
.\"
25
.\"
26
.Dd November 4, 2005
27
.Dt MAC_SETTIME 4
28
.Os
29
.Sh NAME
30
.Nm mac_settime
31
.Nd "set system time policy"
32
.Sh SYNOPSIS
33
To load the set system time policy module at boot time,
34
place the following line in your kernel configuration file:
35
.Bd -ragged -offset indent
36
.Cd "options MAC"
37
.Ed
38
.Pp
39
and place the following line in
40
.Xr loader.conf 5 :
41
.Pp
42
.Dl "mac_settime_load=""YES"""
43
.Pp
44
then compile the module and copy it to your kernel modules directory
45
(e.g. /boot/kernel or /boot/modules)
46
.Sh DESCRIPTION
47
The
48
.Nm
49
policy allows administrators to define who is allowed to set and adjust system time.
50
.Pp
51
In order to use the
52
.Nm
53
policy, the
54
.Va kern.usersettime
55
and
56
.Va kern.useradjtime
57
.Xr sysctl 8
58
MIBs should be set to 1 to disable kernel security check.
59
.Pp
60
If system time has to be changed from jail, additionaly the
61
.Va kern.jailsettime
62
and
63
.Va kern.jailadjtime
64
.Xr sysctl 8
65
MIBs should be set to 1.
66
.Pp
67
The following
68
.Xr sysctl 8
69
MIBs are available for fine-tuning the enforcement of this MAC policy.
70
All
71
.Xr sysctl 8
72
variables, except
73
.Va security.mac.portacl.rules ,
74
can also be set as
75
.Xr loader 8
76
tunables in
77
.Xr loader.conf 5 .
78
.Bl -tag -width indent
79
.It Va security.mac.settime.enabled
80
Enforce the
81
.Nm
82
policy.
83
(Default: 1).
84
.Pp
85
The MIB ca alse be set as
86
.Xr loader 8
87
tunables in
88
.Xr loader.conf 5 .
89
.It Va security.mac.settime.rules
90
The set time access control list is specified as list of rules, separated by semicolon or new line.
91
Rules are applied in given order, first match wins.
92
If no match found time setting is denied.
93
Each rule has the following format:
94
.Pp
95
.D1 Ar action Oo not Oc Ar idtype Ar idrange Oo not Oc Ar jailtype Ar jailidrange
96
.Pp
97
If some specification (id or jail) is omited it means "any".
98
The
99
.Li not
100
keyword negates the match.
101
Underscore can be used in place of space.
102
.Bl -tag -width ".Ar action"
103
.It Ar action
104
Describes the result of the rule, either
105
.Li allow
106
or
107
.Li deny .
108
.It Ar idtype
109
Describes the type of subject match to be performed.
110
Either
111
.Li uid
112
for user ID matching, or
113
.Li gid
114
for group ID matching.
115
.It Ar idrange : Bro Ar id | id Ns \&- Ns Ar id Ns Brc Ns Op , Ns Ar idrange
116
The user or group IDs range (depending on
117
.Ar idtype )
118
allowed to set system time.
119
.Bf -emphasis
120
NOTE: User and group names are not valid; only the actual ID numbers
121
may be used.
122
.Ef
123
.It Ar jailtype
124
Describes which jail match to be performed.
125
Either
126
.Li nojail
127
for the main system, or
128
.Li jail
129
for some jail, id range must be specified.
130
.It Ar jailidrange : Bro Ar jailid | jailid Ns \&- Ns Ar jailid Ns Brc Ns Op , Ns Ar jailidrange
131
IDs of jail allowed to set system time.
132
.Pp
133
.El
134
.Bf -emphasis
135
NOTE: MAC security policies may not override other security system policies
136
by allowing accesses that they may deny, such as
137
.Va kern.useradjtime /
138
.Va kern.jailadjtime /
139
.Va kern.usersettime /
140
.Va kern.jailsettime .
141
.Ef
142
If the internal kernel security checks are not disabled, the
143
.Nm
144
entry will not function
145
(i.e., even the specified user/group/jail may not be able to set system time).
146
.Sh EXAMPLES
147
To allow some user to set system time set
148
.Va security.mac.settime.rules
149
.Xr sysctl 8
150
MIBs to:
151
.Pp
152
.Dl "allow uid 2000 nojail"
153
.Pp
154
To additionaly allow root to set time from several jails set the
155
.Va security.mac.settime.rules
156
to:
157
.Pp
158
.Dl "allow uid 2000 nojail"
159
.Dl "allow uid 0 jail 4,5-9"
160
.Pp
161
If the MIB is set from /etc/sysctl.conf no spaces and new lines are allowed by /etc/rc.d/sysctl, so
162
the last example can be written in another form:
163
.Pp
164
.Dl "allow_uid_2000_nojail;allow_uid_0_jail_4,5-9"
165
.Pp
166
.Sh SEE ALSO
167
.Xr mac 3 ,
168
.Xr ip 4 ,
169
.Xr mac_biba 4 ,
170
.Xr mac_bsdextended 4 ,
171
.Xr mac_ifoff 4 ,
172
.Xr mac_mls 4 ,
173
.Xr mac_none 4 ,
174
.Xr mac_partition 4 ,
175
.Xr mac_seeotheruids 4 ,
176
.Xr mac_portacl 4 ,
177
.Xr mac_test 4 ,
178
.Xr mac 9
179
.Sh HISTORY
180
MAC first appeared in
181
.Fx 5.0