White space fix only. Translators can ignore.

Sponsored by: iXsystems
svn path=/head/; revision=44375
2014-03-28 16:58:45 +00:00 · 2014-03-28 16:58:45 +00:00 · 91c1863bde · 2020-12-08 03:00:23 +00:00
commit 91c1863bde
parent 94d3851b1f
1 changed files with 228 additions and 239 deletions
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.xml
@ -552,10 +552,10 @@ test: biba/high</screen>
  <sect1 xml:id="mac-planning">
    <title>Planning the Security Configuration</title>
-    <para>Before implementing any <acronym>MAC</acronym> policies, a planning phase
+    <para>Before implementing any <acronym>MAC</acronym> policies, a
-      is recommended.  During the planning stages, an administrator
+      planning phase is recommended.  During the planning stages, an
-      should consider the implementation requirements and
+      administrator should consider the implementation requirements
-      goals, such as:</para>
+      and goals, such as:</para>
    <itemizedlist>
      <listitem>
@ -570,32 +570,30 @@ test: biba/high</screen>
      </listitem>
      <listitem>
-	<para>Which <acronym>MAC</acronym> modules will be
+	<para>Which <acronym>MAC</acronym> modules will be required to
-	  required to achieve this goal.</para>
+	  achieve this goal.</para>
      </listitem>
    </itemizedlist>
-    <para>A trial run of the trusted
+    <para>A trial run of the trusted system and its configuration
-      system and its configuration should occur
+      should occur <emphasis>before</emphasis> a
-      <emphasis>before</emphasis> a <acronym>MAC</acronym>
+      <acronym>MAC</acronym> implementation is used on production
-      implementation is used on production systems.  Since different
+      systems.  Since different environments have different needs and
-      environments have different needs and
+      requirements, establishing a complete security profile will
-      requirements, establishing a complete security
+      decrease the need of changes once the system goes live.</para>
      profile will decrease the need of changes once the system
      goes live.</para>
-    <para>Consider how the
+    <para>Consider how the <acronym>MAC</acronym> framework augments
-      <acronym>MAC</acronym> framework augments the security of
+      the security of the system as a whole.  The various security
-      the system as a whole.  The various security policy modules
+      policy modules provided by the <acronym>MAC</acronym> framework
-      provided by the <acronym>MAC</acronym> framework could be used
+      could be used to protect the network and file systems or to
-      to protect the network and file systems or to block users from
+      block users from accessing certain ports and sockets.  Perhaps
-      accessing certain ports and sockets.  Perhaps the best use of
+      the best use of the policy modules is to load several security
-      the policy modules is to load several security policy modules at
+      policy modules at a time in order to provide a
-      a time in order to provide a <acronym>MLS</acronym> environment.
+      <acronym>MLS</acronym> environment.  This approach differs from
-      This approach differs from a hardening policy, which typically
+      a hardening policy, which typically hardens elements of a system
-      hardens elements of a system which are used only for specific
+      which are used only for specific purposes.  The downside to
-      purposes.  The downside to <acronym>MLS</acronym> is increased
+      <acronym>MLS</acronym> is increased administrative
-      administrative overhead.</para>
+      overhead.</para>
    <para>The overhead is minimal when compared to the lasting effect
      of a framework which provides the ability to pick and choose
@ -615,10 +613,10 @@ test: biba/high</screen>
      <acronym>MAC</acronym> access rules is in the hands of the
      system administrator.</para>
-    <para>It is the duty of the system administrator to
+    <para>It is the duty of the system administrator to carefully
-      carefully select the correct security policy modules.  For an
+      select the correct security policy modules.  For an environment
-      environment that needs to limit access control over the network,
+      that needs to limit access control over the network, the
-      the &man.mac.portacl.4;, &man.mac.ifoff.4;, and &man.mac.biba.4;
+      &man.mac.portacl.4;, &man.mac.ifoff.4;, and &man.mac.biba.4;
      policy modules make good starting points.  For an environment
      where strict confidentiality of file system objects is required,
      consider the &man.mac.bsdextended.4; and &man.mac.mls.4; policy
@ -646,17 +644,17 @@ test: biba/high</screen>
      framework will help administrators choose the best policies
      for their situations.</para>
-    <para>  The rest of this chapter covers the available
+    <para>  The rest of this chapter covers the available modules,
-      modules, describes their use and configuration, and in some
+      describes their use and configuration, and in some cases,
-      cases, provides insight on applicable situations.</para>
+      provides insight on applicable situations.</para>
    <caution>
      <para>Implementing <acronym>MAC</acronym> is much like
-	implementing a firewall since care must be taken to prevent being
+	implementing a firewall since care must be taken to prevent
-	completely locked out of the system.  The ability to revert
+	being completely locked out of the system.  The ability to
-	back to a previous configuration should be considered and the
+	revert back to a previous configuration should be considered
-	implementation of <acronym>MAC</acronym> over a remote connection should be
+	and the implementation of <acronym>MAC</acronym> over a remote
-	done with extreme caution.</para>
+	connection should be done with extreme caution.</para>
    </caution>
  </sect1>
@ -664,14 +662,14 @@ test: biba/high</screen>
    <title>Available MAC Policies</title>
    <para>Beginning with &os;&nbsp;8.0, the default &os; kernel
-      includes <literal>options MAC</literal>.  This means that
+      includes <literal>options MAC</literal>.  This means that every
-      every module included with the <acronym>MAC</acronym>
+      module included with the <acronym>MAC</acronym> framework can be
-      framework can be loaded with <command>kldload</command> as a run-time kernel module.
+      loaded with <command>kldload</command> as a run-time kernel
-      After testing the module, add the module name to
+      module.  After testing the module, add the module name to
      <filename>/boot/loader.conf</filename> so that it will load
-      during boot.  Each module also provides a kernel option
+      during boot.  Each module also provides a kernel option for
-      for those administrators who choose to compile their own
+      those administrators who choose to compile their own custom
-      custom kernel.</para>
+      kernel.</para>
    <para>&os; includes a group of policies that will cover most
      security requirements.  Each policy is summarized below.  The
@ -693,8 +691,8 @@ test: biba/high</screen>
      <para>Boot option:
 	<literal>mac_seeotheruids_load="YES"</literal></para>
-      <para>The &man.mac.seeotheruids.4; module extends
+      <para>The &man.mac.seeotheruids.4; module extends the
-	the <varname>security.bsd.see_other_uids</varname> and
+	<varname>security.bsd.see_other_uids</varname> and
 	<varname>security.bsd.see_other_gids</varname>
 	<command>sysctl</command> tunables.  This option does not
 	require any labels to be set before configuration and can
@ -707,9 +705,9 @@ test: biba/high</screen>
      <itemizedlist>
 	<listitem>
 	  <para><varname>security.mac.seeotheruids.enabled</varname>
-	    enables the module and implements the default settings which
+	    enables the module and implements the default settings
-	    deny users the ability to view processes and sockets owned
+	    which deny users the ability to view processes and sockets
-	    by other users.</para>
+	    owned by other users.</para>
 	</listitem>
 	<listitem>
@ -750,15 +748,14 @@ test: biba/high</screen>
      <para>Boot option:
 	<literal>mac_bsdextended_load="YES"</literal></para>
-      <para>The &man.mac.bsdextended.4; module enforces a file
+      <para>The &man.mac.bsdextended.4; module enforces a file system
-	system firewall.  It provides an extension
+	firewall.  It provides an extension to the standard file
-	to the standard file system permissions model, permitting an
+	system permissions model, permitting an administrator to
-	administrator to create a firewall-like ruleset to protect
+	create a firewall-like ruleset to protect files, utilities,
-	files, utilities, and directories in the file system
+	and directories in the file system hierarchy.  When access to
-	hierarchy.  When access to a file system object is attempted,
+	a file system object is attempted, the list of rules is
-	the list of rules is iterated until either a matching rule is
+	iterated until either a matching rule is located or the end is
-	located or the end is reached.  This behavior may be changed
+	reached.  This behavior may be changed using
 	using
 	<varname>security.mac.bsdextended.firstmatch_enabled</varname>.
 	Similar to other firewall modules in &os;, a file containing
 	the access control rules can be created and read by the system
@ -769,24 +766,25 @@ test: biba/high</screen>
 	written by using the functions in the &man.libugidfw.3;
 	library.</para>
-	<para>After the &man.mac.bsdextended.4; module has been
+      <para>After the &man.mac.bsdextended.4; module has been loaded,
-	  loaded, the following command may be used to list the
+	the following command may be used to list the current rule
-	  current rule configuration:</para>
+	configuration:</para>
      <screen>&prompt.root; <userinput>ugidfw list</userinput>
 0 slots, 0 rules</screen>
      <para>By default, no rules are defined and everything is
-	  completely accessible.  To create a rule which blocks
+	completely accessible.  To create a rule which blocks all
-	  all access by users but leaves <systemitem
+	access by users but leaves <systemitem
 	  class="username">root</systemitem> unaffected:</para>
      <screen>&prompt.root; <userinput>ugidfw add subject not uid root new object not uid root mode n</userinput></screen>
-	<para>While this rule is simple to implement, it is a very bad idea as it blocks all users from
+      <para>While this rule is simple to implement, it is a very bad
-	  issuing any commands.  A more realistic example blocks
+	idea as it blocks all users from issuing any commands.  A
-	  <systemitem class="username">user1</systemitem> all
+	more realistic example blocks <systemitem
-	  access, including directory listings, to <systemitem
+	  class="username">user1</systemitem> all access, including
 	directory listings, to <systemitem
 	  class="username"><replaceable>user2</replaceable></systemitem>'s
 	home directory:</para>
@ -795,15 +793,16 @@ test: biba/high</screen>
      <para>Instead of <systemitem
 	  class="username">user1</systemitem>, <option>not
-	    uid <replaceable>user2</replaceable></option> could be
+	  uid <replaceable>user2</replaceable></option> could be used
-	  used in order to enforce the same access restrictions for all
+	in order to enforce the same access restrictions for all
-	  users.  However, the <systemitem class="username">root</systemitem>
+	users.  However, the <systemitem
-	  user is unaffected by these rules.</para>
+	  class="username">root</systemitem> user is unaffected by
 	these rules.</para>
      <note>
 	<para>Extreme caution should be taken when working with this
-	module as incorrect use could block access to certain parts of
+	  module as incorrect use could block access to certain
-	the file system.</para>
+	  parts of the file system.</para>
      </note>
    </sect2>
@ -821,10 +820,10 @@ test: biba/high</screen>
      <para>Boot option:
 	<literal>mac_ifoff_load="YES"</literal></para>
-      <para>The &man.mac.ifoff.4; module is used to disable
+      <para>The &man.mac.ifoff.4; module is used to disable network
-	network interfaces on the fly and to keep network interfaces from
+	interfaces on the fly and to keep network interfaces from
-	being brought up during system boot.  It does not use
+	being brought up during system boot.  It does not use labels
-	labels and does not depend on any other
+	and does not depend on any other
 	<acronym>MAC</acronym> modules.</para>
      <para>Most of this module's control is performed through these
@ -853,8 +852,8 @@ test: biba/high</screen>
      <para>One of the most common uses of &man.mac.ifoff.4; is
 	network monitoring in an environment where network traffic
 	should not be permitted during the boot sequence.  Another
-	use would be to write a script which uses an application such as
+	use would be to write a script which uses an application such
-	<package>security/aide</package> to automatically block
+	as <package>security/aide</package> to automatically block
 	network traffic if it finds new or altered files in protected
 	directories.</para>
    </sect2>
@ -904,15 +903,14 @@ test: biba/high</screen>
 	<listitem>
 	  <para><varname>security.mac.portacl.rules</varname>
-	    specifies the policy as a text string
+	    specifies the policy as a text string of the form
-	    of the form <literal>rule[,rule,...]</literal>, with as
+	    <literal>rule[,rule,...]</literal>, with as many rules as
-	    many rules as needed, and where each rule is of the form
+	    needed, and where each rule is of the form
 	    <literal>idtype:id:protocol:port</literal>.  The
 	    <parameter>idtype</parameter> is either
 	    <literal>uid</literal> or <literal>gid</literal>.  The
 	    <parameter>protocol</parameter> parameter can be
-	    <literal>tcp</literal> or
+	    <literal>tcp</literal> or <literal>udp</literal>.  The
 	    <literal>udp</literal>.  The
 	    <parameter>port</parameter> parameter is the port number
 	    to allow the specified user or group to bind to.  Only
 	    numeric values can be used for the user ID, group ID,
@ -931,16 +929,16 @@ test: biba/high</screen>
 &prompt.root; <userinput>sysctl net.inet.ip.portrange.reservedlow=0</userinput>
 &prompt.root; <userinput>sysctl net.inet.ip.portrange.reservedhigh=0</userinput></screen>
-	<para>To prevent the <systemitem class="username">root</systemitem>
+      <para>To prevent the <systemitem
-	  user from being affected by this policy, set
+	  class="username">root</systemitem> user from being affected
 	by this policy, set
 	<varname>security.mac.portacl.suser_exempt</varname> to a
 	non-zero value.</para>
      <screen>&prompt.root; <userinput>sysctl security.mac.portacl.suser_exempt=1</userinput></screen>
-	<para>To allow the <systemitem
+      <para>To allow the <systemitem class="username">www</systemitem>
-	    class="username">www</systemitem> user with <acronym>UID</acronym> 80
+	user with <acronym>UID</acronym> 80 to bind to port 80
 	  to bind to port 80
 	without ever needing <systemitem
 	  class="username">root</systemitem> privilege:</para>
@ -948,8 +946,8 @@ test: biba/high</screen>
      <para>This next example permits the user with the
 	<acronym>UID</acronym> of 1001 to bind to
-	  <acronym>TCP</acronym> ports 110 (POP3) and
+	<acronym>TCP</acronym> ports 110 (POP3) and 995
-	  995 (POP3s):</para>
+	(POP3s):</para>
      <screen>&prompt.root; <userinput>sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</userinput></screen>
    </sect2>
@ -970,9 +968,10 @@ test: biba/high</screen>
      <para>The &man.mac.partition.4; policy drops processes into
 	specific <quote>partitions</quote> based on their
-	<acronym>MAC</acronym> label.  Most configuration for this policy is done using
+	<acronym>MAC</acronym> label.  Most configuration for this
-	&man.setpmac.8;.  One <command>sysctl</command> tunable is
+	policy is done using &man.setpmac.8;.  One
-	available for this policy:</para>
+	<command>sysctl</command> tunable is available for this
 	policy:</para>
      <itemizedlist>
 	<listitem>
@ -998,14 +997,13 @@ test: biba/high</screen>
      <screen>&prompt.root; <userinput>setpmac partition/13 top</userinput></screen>
-	<para>This command displays the partition label
+      <para>This command displays the partition label and the process
-	  and the process list:</para>
+	list:</para>
      <screen>&prompt.root; <userinput>ps Zax</userinput></screen>
-	<para>This command displays another user's process
+      <para>This command displays another user's process partition
-	  partition label and that user's currently running
+	label and that user's currently running processes:</para>
 	  processes:</para>
      <screen>&prompt.root; <userinput>ps -ZU trhodes</userinput></screen>
@ -1036,36 +1034,33 @@ test: biba/high</screen>
      <para>In <acronym>MLS</acronym> environments, a
 	<quote>clearance</quote> level is set in the label of each
 	subject or object, along with compartments.  Since these
-	clearance levels can reach numbers greater than
+	clearance levels can reach numbers greater than several
-	several thousand, it would be a daunting task
+	thousand, it would be a daunting task to thoroughly configure
-	to thoroughly configure every subject or object.
+	every subject or object.  To ease this administrative
-	To ease this administrative overhead, three labels are included
+	overhead, three labels are included in this policy:
-	in this policy: <literal>mls/low</literal>,
+	<literal>mls/low</literal>, <literal>mls/equal</literal> and
-	<literal>mls/equal</literal> and <literal>mls/high</literal>,
+	<literal>mls/high</literal>, where:</para>
 	where:</para>
      <itemizedlist>
 	<listitem>
-	  <para>Anything labeled with
+	  <para>Anything labeled with <literal>mls/low</literal> will
-	    <literal>mls/low</literal> will have a low clearance level
+	    have a low clearance level and not be permitted to access
-	    and not be permitted to access information of a higher
+	    information of a higher level.  This label also prevents
-	    level.  This label also prevents objects of a higher
+	    objects of a higher clearance level from writing or
-	    clearance level from writing or passing information to a
+	    passing information to a lower level.</para>
 	    lower level.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>mls/equal</literal> should be
+	  <para><literal>mls/equal</literal> should be placed on
-	    placed on objects which should be exempt from the
+	    objects which should be exempt from the policy.</para>
 	    policy.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>mls/high</literal> is the highest
+	  <para><literal>mls/high</literal> is the highest level of
-	    level of clearance possible.  Objects assigned this label
+	    clearance possible.  Objects assigned this label will hold
-	    will hold dominance over all other objects in the system;
+	    dominance over all other objects in the system; however,
-	    however, they will not permit the leaking of information
+	    they will not permit the leaking of information to objects
-	    to objects of a lower class.</para>
+	    of a lower class.</para>
 	</listitem>
      </itemizedlist>
@ -1141,29 +1136,28 @@ test: biba/high</screen>
 	<acronym>MLS</acronym> policy information and to feed that
 	file to <command>setfmac</command>.</para>
-	<para>When using the <acronym>MLS</acronym> policy module, an administrator plans
+      <para>When using the <acronym>MLS</acronym> policy module, an
-	  to control the flow of sensitive information.  The default
+	administrator plans to control the flow of sensitive
-	  <literal>block read up block write down</literal> sets
+	information.  The default <literal>block read up block write
-	  everything to a low state.  Everything is accessible and an
+	  down</literal> sets everything to a low state.  Everything
-	  administrator slowly augments the confidentiality of the
+	is accessible and an administrator slowly augments the
-	  information.</para>
+	confidentiality of the information.</para>
      <para>Beyond the three basic label options, an administrator
 	may group users and groups as required to block the
-	  information flow between them.  It might be easier to look
+	information flow between them.  It might be easier to look at
-	  at the information in clearance levels using descriptive
+	the information in clearance levels using descriptive words,
-	  words, such as classifications of
+	such as classifications of <literal>Confidential</literal>,
-	  <literal>Confidential</literal>, <literal>Secret</literal>,
+	<literal>Secret</literal>, and <literal>Top Secret</literal>.
-	  and <literal>Top Secret</literal>.  Some administrators
+	Some administrators instead create different groups based on
-	  instead create different groups based on project levels.
+	project levels.  Regardless of the classification method, a
-	  Regardless of the classification method, a well thought out
+	well thought out plan must exist before implementing a
-	  plan must exist before implementing a restrictive
+	restrictive policy.</para>
 	  policy.</para>
-	<para>Some example situations for the <acronym>MLS</acronym> policy module
+      <para>Some example situations for the <acronym>MLS</acronym>
-	  include an e-commerce web server, a file server holding
+	policy module include an e-commerce web server, a file server
-	  critical company information, and financial institution
+	holding critical company information, and financial
-	  environments.</para>
+	institution environments.</para>
    </sect2>
    <sect2 xml:id="mac-biba">
@ -1198,23 +1192,22 @@ test: biba/high</screen>
      <itemizedlist>
 	<listitem>
-	  <para><literal>biba/low</literal> is considered
+	  <para><literal>biba/low</literal> is considered the lowest
-	    the lowest integrity an object or subject may have.
+	    integrity an object or subject may have.  Setting this on
-	    Setting this on objects or subjects blocks their write
+	    objects or subjects blocks their write access to objects
-	    access to objects or subjects marked as <literal>biba/high</literal>, but will not prevent
+	    or subjects marked as <literal>biba/high</literal>, but
-	    read access.</para>
+	    will not prevent read access.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>biba/equal</literal> should only be
+	  <para><literal>biba/equal</literal> should only be placed on
-	    placed on objects considered to be exempt from the
+	    objects considered to be exempt from the policy.</para>
 	    policy.</para>
 	</listitem>
 	<listitem>
-	  <para><literal>biba/high</literal> permits
+	  <para><literal>biba/high</literal> permits writing to
-	    writing to objects set at a lower label, but does not permit
+	    objects set at a lower label, but does not permit reading
-	    reading that object.  It is recommended that this label be
+	    that object.  It is recommended that this label be
 	    placed on objects that affect the integrity of the entire
 	    system.</para>
 	</listitem>
@ -1243,13 +1236,13 @@ test: biba/high</screen>
 	</listitem>
 	<listitem>
-	  <para>Integrity levels instead of <acronym>MLS</acronym> sensitivity
+	  <para>Integrity levels instead of <acronym>MLS</acronym>
-	    levels.</para>
+	    sensitivity levels.</para>
 	</listitem>
      </itemizedlist>
-      <para>The following tunables can be
+      <para>The following tunables can be used to manipulate the Biba
-	used to manipulate the Biba policy:</para>
+	policy:</para>
      <itemizedlist>
 	<listitem>
@ -1280,24 +1273,22 @@ test: biba/high</screen>
 test: biba/low</screen>
      <para>Integrity, which is different from sensitivity, is used to
-	  guarantee that information is not manipulated by
+	guarantee that information is not manipulated by untrusted
-	  untrusted parties.  This includes information passed between
+	parties.  This includes information passed between subjects
-	  subjects and objects.  It ensures that users will
+	and objects.  It ensures that users will only be able to
-	  only be able to modify or access information they have been given explicit
+	modify or access information they have been given explicit
-	  access to.  The &man.mac.biba.4; security policy module permits an
+	access to.  The &man.mac.biba.4; security policy module
-	  administrator to configure which files and programs a user may
+	permits an administrator to configure which files and programs
-	  see and invoke while assuring that the programs and files
+	a user may see and invoke while assuring that the programs and
-	  are trusted by the system for that
+	files are trusted by the system for that user.</para>
 	  user.</para>
      <para>During the initial planning phase, an administrator must
-	  be prepared to partition users into grades, levels, and
+	be prepared to partition users into grades, levels, and areas.
 	  areas.
 	The system will default to a high label once this policy
 	module is enabled, and it is up to the administrator to
-	  configure the different grades and levels for users.
+	configure the different grades and levels for users.  Instead
-	  Instead of using clearance levels, a good planning method
+	of using clearance levels, a good planning method could
-	  could include topics.  For instance, only allow developers
+	include topics.  For instance, only allow developers
 	modification access to the source code repository, source
 	code compiler, and other development utilities.  Other users
 	would be grouped into other categories such as testers,
@ -1305,15 +1296,14 @@ test: biba/low</screen>
 	access.</para>
      <para>A lower integrity subject is unable to write to a higher
-	  integrity subject and a higher integrity subject cannot
+	integrity subject and a higher integrity subject cannot list
-	  list or read a lower integrity object.  Setting a label
+	or read a lower integrity object.  Setting a label at the
-	  at the lowest possible grade could make it inaccessible to
+	lowest possible grade could make it inaccessible to subjects.
-	  subjects.  Some prospective environments for this security
+	Some prospective environments for this security policy module
-	  policy module would include a constrained web server, a
+	would include a constrained web server, a development and test
-	  development and test machine, and a source code repository.
+	machine, and a source code repository.  A less useful
-	  A less useful implementation would be a personal
+	implementation would be a personal workstation, a machine used
-	  workstation, a machine used as a router, or a network
+	as a router, or a network firewall.</para>
 	  firewall.</para>
    </sect2>
    <sect2 xml:id="mac-lomac">
@ -1335,23 +1325,22 @@ test: biba/low</screen>
 	objects only after decreasing the integrity level to not
 	disrupt any integrity rules.</para>
-      <para>The Low-watermark
+      <para>The Low-watermark integrity policy works almost
-	integrity policy works almost identically to Biba, with
+	identically to Biba, with the exception of using floating
-	the exception of using floating labels to support subject
+	labels to support subject demotion via an auxiliary grade
-	demotion via an auxiliary grade compartment.  This secondary
+	compartment.  This secondary compartment takes the form
-	compartment takes the form <literal>[auxgrade]</literal>.
+	<literal>[auxgrade]</literal>.  When assigning a policy with
-	When assigning a policy with an auxiliary grade, use the
+	an auxiliary grade, use the syntax
-	syntax <literal>lomac/10[2]</literal>, where
+	<literal>lomac/10[2]</literal>, where
 	<literal>2</literal> is the auxiliary grade.</para>
-      <para>This policy relies on the
+      <para>This policy relies on the ubiquitous labeling of all
-	ubiquitous labeling of all system objects with integrity
+	system objects with integrity labels, permitting subjects to
-	labels, permitting subjects to read from low integrity objects
+	read from low integrity objects and then downgrading the label
-	and then downgrading the label on the subject to prevent
+	on the subject to prevent future writes to high integrity
-	future writes to high integrity objects using
+	objects using <literal>[auxgrade]</literal>.  The policy may
-	<literal>[auxgrade]</literal>.  The policy may provide
+	provide greater compatibility and require less initial
-	greater compatibility and require less initial configuration
+	configuration than Biba.</para>
 	than Biba.</para>
      <para>Like the Biba and <acronym>MLS</acronym> policies,
 	<command>setfmac</command> and <command>setpmac</command>
@ -1361,8 +1350,8 @@ test: biba/low</screen>
 &prompt.root; <userinput>getfmac /usr/home/trhodes lomac/high[low]</userinput></screen>
      <para>The auxiliary grade <literal>low</literal> is a feature
-	  provided only by the <acronym>MAC</acronym> <acronym>LOMAC</acronym>
+	provided only by the <acronym>MAC</acronym>
-	  policy.</para>
+	<acronym>LOMAC</acronym> policy.</para>
    </sect2>
  </sect1>