Subversion Repositories general

Rev

Rev 1119 | Blame | Compare with Previous | Last modification | View Log | RSS feed

.\" Copyright 2005, Anatoli Klassen <anatoli@aksoft.net>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"
.Dd November 4, 2005
.Dt MAC_SETTIME 4
.Os
.Sh NAME
.Nm mac_settime
.Nd "set system time policy"
.Sh SYNOPSIS
To load the set system time policy module at boot time,
place the following line in your kernel configuration file:
.Bd -ragged -offset indent
.Cd "options MAC"
.Ed
.Pp
and place the following line in
.Xr loader.conf 5 :
.Pp
.Dl "mac_settime_load=""YES"""
.Pp
then compile the module and copy it to your kernel modules directory
(e.g. /boot/kernel or /boot/modules)
.Sh DESCRIPTION
The
.Nm
policy allows administrators to define who is allowed to set and adjust system time.
.Pp
In order to use the
.Nm
policy, the
.Va kern.usersettime
and
.Va kern.useradjtime
.Xr sysctl 8
MIBs should be set to 1 to disable kernel security check.
.Pp
If system time has to be changed from jail, additionaly the
.Va kern.jailsettime
and
.Va kern.jailadjtime
.Xr sysctl 8
MIBs should be set to 1.
.Pp
The following
.Xr sysctl 8
MIBs are available for fine-tuning the enforcement of this MAC policy.
All
.Xr sysctl 8
variables, except
.Va security.mac.portacl.rules ,
can also be set as
.Xr loader 8
tunables in
.Xr loader.conf 5 .
.Bl -tag -width indent
.It Va security.mac.settime.enabled
Enforce the
.Nm
policy.
(Default: 1).
.Pp
The MIB ca alse be set as
.Xr loader 8
tunables in
.Xr loader.conf 5 .
.It Va security.mac.settime.rules
The set time access control list is specified as list of rules, separated by semicolon or new line.
Rules are applied in given order, first match wins.
If no match found time setting is denied.
Each rule has the following format:
.Pp
.D1 Ar action Oo not Oc Ar idtype Ar idrange Oo not Oc Ar jailtype Ar jailidrange
.Pp
If some specification (id or jail) is omited it means "any".
The
.Li not
keyword negates the match.
Underscore can be used in place of space.
.Bl -tag -width ".Ar action"
.It Ar action
Describes the result of the rule, either
.Li allow
or
.Li deny .
.It Ar idtype
Describes the type of subject match to be performed.
Either
.Li uid
for user ID matching, or
.Li gid
for group ID matching.
.It Ar idrange : Bro Ar id | id Ns \&- Ns Ar id Ns Brc Ns Op , Ns Ar idrange
The user or group IDs range (depending on
.Ar idtype )
allowed to set system time.
.Bf -emphasis
NOTE: User and group names are not valid; only the actual ID numbers
may be used.
.Ef
.It Ar jailtype
Describes which jail match to be performed.
Either
.Li nojail
for the main system, or
.Li jail
for some jail, id range must be specified.
.It Ar jailidrange : Bro Ar jailid | jailid Ns \&- Ns Ar jailid Ns Brc Ns Op , Ns Ar jailidrange
IDs of jail allowed to set system time.
.Pp
.El
.Bf -emphasis
NOTE: MAC security policies may not override other security system policies
by allowing accesses that they may deny, such as
.Va kern.useradjtime /
.Va kern.jailadjtime /
.Va kern.usersettime /
.Va kern.jailsettime .
.Ef
If the internal kernel security checks are not disabled, the
.Nm
entry will not function
(i.e., even the specified user/group/jail may not be able to set system time).
.Sh EXAMPLES
To allow some user to set system time set
.Va security.mac.settime.rules
.Xr sysctl 8
MIBs to:
.Pp
.Dl "allow uid 2000 nojail"
.Pp
To additionaly allow root to set time from several jails set the
.Va security.mac.settime.rules
to:
.Pp
.Dl "allow uid 2000 nojail"
.Dl "allow uid 0 jail 4,5-9"
.Pp
If the MIB is set from /etc/sysctl.conf no spaces and new lines are allowed by /etc/rc.d/sysctl, so
the last example can be written in another form:
.Pp
.Dl "allow_uid_2000_nojail;allow_uid_0_jail_4,5-9"
.Pp
.Sh SEE ALSO
.Xr mac 3 ,
.Xr ip 4 ,
.Xr mac_biba 4 ,
.Xr mac_bsdextended 4 ,
.Xr mac_ifoff 4 ,
.Xr mac_mls 4 ,
.Xr mac_none 4 ,
.Xr mac_partition 4 ,
.Xr mac_seeotheruids 4 ,
.Xr mac_portacl 4 ,
.Xr mac_test 4 ,
.Xr mac 9
.Sh HISTORY
MAC first appeared in
.Fx 5.0