Bring mac_bsdextended section up to date a little bit. Discuss the first

match enable and ruleset load on start up options.
svn path=/head/; revision=27440
2006-03-31 09:58:04 +00:00 · 2006-03-31 09:58:04 +00:00 · d889e662c0 · 2020-12-08 03:00:23 +00:00
commit d889e662c0
parent b39569b8cd
1 changed files with 10 additions and 2 deletions
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@ -934,9 +934,17 @@ test: biba/high</screen>
      firewall.  This module's policy provides an extension to the
      standard file system permissions model, permitting an
      administrator to create a firewall-like ruleset to protect files,
-      utilities, and directories in the file system hierarchy.</para>
+      utilities, and directories in the file system hierarchy.  When
+      access to a file system object is attempted, the list of rules
+      is iterated until either a matching rule is located or the end
+      is reached.  This behavior may be changed by the use of a
+      &man.sysctl.8; parameter,
+      security.mac.bsdextended.firstmatch_enabled is set.  Similar to
+      other fire wall modules in &os;, a file containing access control
+      rules can be created and read by the system at boot time using
+      an &man.rc.conf.5; variable.</para>

-    <para>The policy may be created using a utility, &man.ugidfw.8;,
+    <para>The rule list may be created using a utility, &man.ugidfw.8;,
      that has a syntax similar to that of &man.ipfw.8;.  More tools
      can be written by using the functions in the
      &man.libugidfw.3; library.</para>