Hook up a sample LOMAC labeling policy. Unlike the old LOMAC module,

the file system initial labeling policy exists in userland, and is
fed into setfsmac(1).  This is based on the old LOMAC PLM.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 29 insertions, 0 deletions

diff --git a/share/security/lomac-policy.contexts b/share/security/lomac-policy.contexts
new file mode 100644
index 0000000000000..e01bd2842c60a
--- /dev/null
+++ b/share/security/lomac-policy.contexts
@@ -0,0 +1,29 @@
+# $FreeBSD$
+#
+# This is a sample LOMAC policy based upon the PLM defined in the
+# original FreeBSD LOMAC port.  It may be configured on a
+# system via setfsmac(8).
+
+.*				lomac/high
+/sbin/dhclient			lomac/high[low]
+/dev(/.*)?			lomac/equal
+# This is not an exhaustive list of all "privileged" devices.
+/dev/mdctl			lomac/high
+/dev/pci			lomac/high
+/dev/k?mem			lomac/high
+/dev/io				lomac/high
+/dev/agp.*			lomac/high
+(/var)?/tmp(/.*)?		lomac/equal
+/tmp/\.X11-unix			lomac/high[equal]
+/tmp/\.X11-unix/.*		lomac/equal
+/proc(/.*)?			lomac/equal
+/mnt.*				lomac/low
+(/usr)?/home			lomac/high[low]
+(/usr)?/home/.*			lomac/low
+/var/mail(/.*)?			lomac/low
+/var/spool/mqueue(/.*)?		lomac/low
+(/mnt)?/cdrom(/.*)?		lomac/high
+(/usr)?/home/(ftp|samba)(/.*)?	lomac/high
+/var/log/sendmail\.st		lomac/low
+/var/run/utmp			lomac/equal
+/var/log/(lastlog|wtmp)		lomac/equal