From d889e662c0660bc3caac18d1cddab1201ab36b14 Mon Sep 17 00:00:00 2001 From: Tom Rhodes Date: Fri, 31 Mar 2006 09:58:04 +0000 Subject: [PATCH] Bring mac_bsdextended section up to date a little bit. Discuss the first match enable and ruleset load on start up options. --- en_US.ISO8859-1/books/handbook/mac/chapter.sgml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml index b27daebf9e..9c89f24109 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml @@ -934,9 +934,17 @@ test: biba/high firewall. This module's policy provides an extension to the standard file system permissions model, permitting an administrator to create a firewall-like ruleset to protect files, - utilities, and directories in the file system hierarchy. + utilities, and directories in the file system hierarchy. When + access to a file system object is attempted, the list of rules + is iterated until either a matching rule is located or the end + is reached. This behavior may be changed by the use of a + &man.sysctl.8; parameter, + security.mac.bsdextended.firstmatch_enabled is set. Similar to + other fire wall modules in &os;, a file containing access control + rules can be created and read by the system at boot time using + an &man.rc.conf.5; variable. - The policy may be created using a utility, &man.ugidfw.8;, + The rule list may be created using a utility, &man.ugidfw.8;, that has a syntax similar to that of &man.ipfw.8;. More tools can be written by using the functions in the &man.libugidfw.3; library.