Expand the synopsis for the MAC framework a bit to include additional

information on what MAC is, how the MAC framework supports MAC policies
in FreeBSD, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

en_US.ISO8859-1/books/arch-handbook/mac/chapter.sgml

@@ -65,12 +65,43 @@
   <sect1 id="mac-synopsis">
     <title>Synopsis</title>
     
-    <para>MAC, or Mandatory Access Control, is a feature introduced by
-      the TrustedBSD Project to supplement the existing standard DAC
-      (Discretionary Access Control) policies of BSD Unix systems.</para>
-    
-    <para>This chapter introduces the MAC policy framework and
-      provides documentation for a sample MAC policy module.</para>
+    <para>Mandatory Access Control (MAC) is a security feature frequently
+      found in commercial trusted operating systems.  MAC supplements
+      existing Discretionary Access Control (DAC) protections (such as
+      file system permissions and access control lists) by allowing the
+      security administrator to define mandatory protections for
+      system objects.  Mandatory protections may be distinguished from
+      discretionary protections in that DAC is applied at the discretion
+      of the object owner, whereas MAC protections are defined by the
+      administrator and applied to all users and objects in the system
+      and may not be bypassed even by object owners.  A variety of
+      MAC policies have been explored in security research literature
+      as well as the commercial trusted operating system space.  These
+      include policies such as the Multi-Level Security (MLS)
+      confidentiality policy, used to prevent inappropriate sharing of
+      information on multi-user systems, and the Biba integrity policy,
+      typically used to protect the integrity of system and user
+      services.</para>
+
+    <para>The implementation of MAC found in FreeBSD was developed by
+      the TrustedBSD Project, and includes support for both a number of
+      specific MAC policies, and for a flexible and extensible security
+      framework to support the easy creation of new kernel security
+      policies.  This framework isolates the internals of specific MAC
+      policies from the implementation of kernel services, and
+      encapsulates the policies in policy modules.  Policy modules may
+      be added to the system without changes to the base kernel, and can
+      augment the kernel security policy in a variety of ways.  In
+      addition, policies may provide a shared object implementation
+      of common MAC interfaces for userland applications, permitting
+      applications to be easily extended to manage labels for new
+      policies.  Support is provided for setting labels on user
+      processes at login, as well as in a number of other locations where
+      user context management occurs.</para>
+
+    <para>This chapter introduces the MAC policy userland and kernel
+      policy frameworks and provides documentation for a sample MAC
+      policy module.</para>
   </sect1>
   
   

en_US.ISO8859-1/books/developers-handbook/mac/chapter.sgml

@@ -65,12 +65,43 @@
   <sect1 id="mac-synopsis">
     <title>Synopsis</title>
     
-    <para>MAC, or Mandatory Access Control, is a feature introduced by
-      the TrustedBSD Project to supplement the existing standard DAC
-      (Discretionary Access Control) policies of BSD Unix systems.</para>
-    
-    <para>This chapter introduces the MAC policy framework and
-      provides documentation for a sample MAC policy module.</para>
+    <para>Mandatory Access Control (MAC) is a security feature frequently
+      found in commercial trusted operating systems.  MAC supplements
+      existing Discretionary Access Control (DAC) protections (such as
+      file system permissions and access control lists) by allowing the
+      security administrator to define mandatory protections for
+      system objects.  Mandatory protections may be distinguished from
+      discretionary protections in that DAC is applied at the discretion
+      of the object owner, whereas MAC protections are defined by the
+      administrator and applied to all users and objects in the system
+      and may not be bypassed even by object owners.  A variety of
+      MAC policies have been explored in security research literature
+      as well as the commercial trusted operating system space.  These
+      include policies such as the Multi-Level Security (MLS)
+      confidentiality policy, used to prevent inappropriate sharing of
+      information on multi-user systems, and the Biba integrity policy,
+      typically used to protect the integrity of system and user
+      services.</para>
+
+    <para>The implementation of MAC found in FreeBSD was developed by
+      the TrustedBSD Project, and includes support for both a number of
+      specific MAC policies, and for a flexible and extensible security
+      framework to support the easy creation of new kernel security
+      policies.  This framework isolates the internals of specific MAC
+      policies from the implementation of kernel services, and
+      encapsulates the policies in policy modules.  Policy modules may
+      be added to the system without changes to the base kernel, and can
+      augment the kernel security policy in a variety of ways.  In
+      addition, policies may provide a shared object implementation
+      of common MAC interfaces for userland applications, permitting
+      applications to be easily extended to manage labels for new
+      policies.  Support is provided for setting labels on user
+      processes at login, as well as in a number of other locations where
+      user context management occurs.</para>
+
+    <para>This chapter introduces the MAC policy userland and kernel
+      policy frameworks and provides documentation for a sample MAC
+      policy module.</para>
   </sect1>