Label (Mac OS) - Wikipedia

  • 17.4 Understanding MAC Labels
  • 17.4.1 Label Configuration
  • Common Label Types
  • Users and Label Settings
  • Network Interfaces and Label Settings
  • 17.4.2 Singlelabel or Multilabel?
  • BeLight Software's Labels & Addresses for Mac

  • 17.4 Understanding MAC Labels

    A label is a security attribute which may be applied to subjects and objects throughout the system.

    When setting a label, the user must be able to comprehend what it is, exactly, that is being done. The attributes available on an object depend on the policy module loaded, and that policy modules interpret their attributes in different ways. If improperly configured due to lack of comprehension, or the inability to understand the implications, the result will be the unexpected and perhaps, undesired, behavior of the system.

    The security label on an object is used as a part of a security access control decision by a policy. With some policies, the label by itself contains all information necessary to make a decision; in other models, the labels may be processed as part of a larger rule set, etc.

    For instance, setting the label of on a file will represent a label maintained by the Biba security policy module, with a value of “low”.

    A few policy modules which support the labeling feature in FreeBSD offer three specific predefined labels. These are the low, high, and equal labels. Although they enforce access control in a different manner with each policy module, you can be sure that the low label will be the lowest setting, the equal label will set the subject or object to be disabled or unaffected, and the high label will enforce the highest setting available in the Biba and policy modules.

    Within single label file system environments, only one label may be used on objects. This will enforce one set of access permissions across the entire system and in many environments may be all that is required. There are a few cases where multiple labels may be set on objects or subjects in the file system. For those cases, the option may be passed to tunefs(8).

    In the case of Biba and , a numeric label may be set to indicate the precise level of hierarchical control. This numeric level is used to partition or sort information into different groups of say, classification only permitting access to that group or a higher group level.

    In most cases the administrator will only be setting up a single label to use throughout the file system.

    Hey wait, this is similar to ! I thought gave control strictly to the administrator. That statement still holds true, to some extent as is the one in control and who configures the policies so that users are placed in the appropriate categories/access levels. Alas, many policy modules can restrict the user as well. Basic control over objects will then be released to the group, but may revoke or modify the settings at any time. This is the hierarchal/clearance model covered by policies such as Biba and .

    17.4.1 Label Configuration

    Virtually all aspects of label policy module configuration will be performed using the base system utilities. These commands provide a simple interface for object or subject configuration or the manipulation and verification of the configuration.

    All configuration may be done by use of the setfmac(8) and setpmac(8) utilities. The command is used to set labels on system objects while the command is used to set the labels on system subjects. Observe:

    If no errors occurred with the command above, a prompt will be returned. The only time these commands are not quiescent is when an error occurred; similarly to the chmod(1) and chown(8) commands. In some cases this error may be a “” and is usually obtained when the label is being set or modified on an object which is restricted. The system administrator may use the following commands to overcome this:

    “” test: biba/high

    As we see above, can be used to override the policy module's settings by assigning a different label to the invoked process. The utility is usually used with currently running processes, such as sendmail: although it takes a process ID in place of a command the logic is extremely similar. If users attempt to manipulate a file not in their access, subject to the rules of the loaded policy modules, the “” error will be displayed by the function. Common Label Types

    For the mac_biba(4), mac_mls(4) and mac_lomac(4) policy modules, the ability to assign simple labels is provided. These take the form of high, equal and low, what follows is a brief description of what these labels provide:

    • The label is considered the lowest label setting an object or subject may have. Setting this on objects or subjects will block their access to objects or subjects marked high.

    • The label should only be placed on objects considered to be exempt from the policy.

    • The label grants an object or subject the highest possible setting.

    With respect to each policy module, each of those settings will instate a different information flow directive. Reading the proper manual pages will further explain the traits of these generic label configurations. Advanced Label Configuration

    Numeric grade labels are used for ; thus the following:


    May be interpreted as:

    “Biba Policy Label”/“Grade 10” :“Compartments 2, 3 and 6”: (“grade 5 ...”)

    In this example, the first grade would be considered the “effective grade” with “effective compartments”, the second grade is the low grade and the last one is the high grade. In most configurations these settings will not be used; indeed, they offered for more advanced configurations.

    When applied to system objects, they will only have a current grade/compartments as opposed to system subjects as they reflect the range of available rights in the system, and network interfaces, where they are used for access control.

    The grade and compartments in a subject and object pair are used to construct a relationship referred to as “dominance”, in which a subject dominates an object, the object dominates the subject, neither dominates the other, or both dominate each other. The “both dominate” case occurs when the two labels are equal. Due to the information flow nature of Biba, you have rights to a set of compartments, “need to know”, that might correspond to projects, but objects also have a set of compartments. Users may have to subset their rights using or in order to access objects in a compartment from which they are not restricted. Users and Label Settings

    Users themselves are required to have labels so that their files and processes may properly interact with the security policy defined on the system. This is configured through the file by use of login classes. Every policy module that uses labels will implement the user class setting.

    An example entry containing every policy module setting is displayed below:

    default:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:\ :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=partition/13,mls/5,biba/10(5-15),lomac/10[2]:

    The option is used to set the user class default label which will be enforced by . Users will never be permitted to modify this value, thus it can be considered not optional in the user case. In a real configuration, however, the administrator will never wish to enable every policy module. It is recommended that the rest of this chapter be reviewed before any of this configuration is implemented.

    Note: Users may change their label after the initial login; however, this change is subject constraints of the policy. The example above tells the Biba policy that a process's minimum integrity is 5, its maximum is 15, but the default effective label is 10. The process will run at 10 until it chooses to change label, perhaps due to the user using the setpmac command, which will be constrained by Biba to the range set at login.

    In all cases, after a change to , the login class capability database must be rebuilt using and this will be reflected throughout every forthcoming example or discussion.

    It is useful to note that many sites may have a particularly large number of users requiring several different user classes. In depth planning is required as this may get extremely difficult to manage. Network Interfaces and Label Settings

    Labels may also be set on network interfaces to help control the flow of data across the network. In all cases they function in the same way the policies function with respect to objects. Users at high settings in , for example, will not be permitted to access network interfaces with a label of low.

    The may be passed to when setting the label on network interfaces. For example:

    will set the label of on the bge(4) interface. When using a setting similar to the entire label should be quoted; otherwise an error will be returned.

    Each policy module which supports labeling has a tunable which may be used to disable the label on network interfaces. Setting the label to will have a similar effect. Review the output from , the policy manual pages, or even the information found later in this chapter for those tunables.

    17.4.2 Singlelabel or Multilabel?

    By default the system will use the option. But what does this mean to the administrator? There are several differences which, in their own right, offer pros and cons to the flexibility in the systems security model.

    The only permits for one label, for instance to be used for each subject or object. It provides for lower administration overhead but decreases the flexibility of policies which support labeling. Many administrators may want to use the option in their security policy.

    The option will permit each subject or object to have its own independent label in place of the standard option which will allow only one label throughout the partition. The and label options are only required for the policies which implement the labeling feature, including the Biba, Lomac, and policies.

    In many cases, the may not need to be set at all. Consider the following situation and security model:

    • FreeBSD web-server using the framework and a mix of the various policies.

    • This machine only requires one label, , for everything in the system. Here the file system would not require the option as a single label will always be in effect.

    • But, this machine will be a web server and should have the web server run at to prevent write up capabilities. The Biba policy and how it works will be discussed later, so if the previous comment was difficult to interpret just continue reading and return. The server could use a separate partition set at for most if not all of its runtime state. Much is lacking from this example, for instance the restrictions on data, configuration and user settings; however, this is just a quick example to prove the aforementioned point.

    If any of the non-labeling policies are to be used, then the option would never be required. These include the , and policies.

    It should also be noted that using with a partition and establishing a security model based on functionality could open the doors for higher administrative overhead as everything in the file system would have a label. This includes directories, files, and even device nodes.

    The following command will set on the file systems to have multiple labels. This may only be done in single user mode:

    This is not a requirement for the swap file system.

    Note: Some users have experienced problems with setting the flag on the root partition. If this is the case, please review the Section 17.17 of this chapter.


    BeLight Software's Labels & Addresses for Mac

    Опубликовано: 15.02.2018 | Автор: lecpustraber

    Рейтинг статьи: 5


    Всего 8 комментариев.

    15.02.2018 jobtneromem:
    Обнови Софт рекомендует использовать программу Home Print Labels, Mac Label Maker в соответствии с правилами интеллектуальной собственности.

    24.02.2018 Агафон:
    Для загрузки приложения Labels & Addresses из Mac App Store необходим компьютер Mac с операционной системой Mac OS X 10.6.6 или более поздней версии.

    23.03.2018 Автоном:
    A MAC label is a security attribute which may be applied to subjects and objects throughout the system. When setting a label.

    24.02.2018 Конкордия:
    Mac Label Maker with most of the Avery labels and cards formats support and powerful mail merge feature.

    16.03.2018 Никандр:
    Mac Label Maker - Это мощный инструмент для создания различных этикеток и карточек, обладающий встроенным герератором штрих-кодов.

    13.02.2018 veybuntilim:
    Labels in Macintosh operating systems are a type of seven distinct, colored parameters of metadata that can be attributed to files, folders and disks in the operating system. The labels were introduced in System 7 and were kept until the release of M.