Before reading this chapter, a few key terms must be explained. This will hopefully clear up any confusion that may occur and avoid the abrupt introduction of new terms and information.
compartment: A compartment is a a set of programs and data to be partitioned or separated, where users are given explicit access to specific components of a system. Also, a compartment represents a grouping, such as a work group, department, project, or topic. Using compartments, it is possible to implement a need-to-know policy.
integrity: Integrity, as a key concept, is the level of trust which can be placed on data. As the integrity of the data is elevated, so does the ability to trust that data.
label: A label is a security attribute which can be applied to files, directories, or other items in the system. It could be considered to be a confidentiality stamp; when a label is placed on a file it describes the security properties for that specific file and will only permit access by files, users, resources, etc. with a similar security setting. The meaning and interpretation of label values depends on the policy: while some policies might treat a label as representing the integrity or secrecy of an object, other policies might use labels to hold rules for access.
level: The increased or decreased setting of a security attribute. As the level increases, its security is considered to elevate as well.
multilabel: The multilabel property is a file system option which can be set in single user mode using the tunefs(8) utility; set during the boot operation using the fstab(5) file; or during the creation of a new file system. This option will permit an administrator to apply different MAC labels on different objects. This option only applies to policies labeled policies.
object: An object or system object is an entity through which information flows under the direction of a subject. This includes directories, files, fields, screens, keyboards, memory, magnetic storage, printers or any other data storage/moving device. Basically, an object is a data container or a system resource; access to an object effectively means access to the data.
policy: A collection of rules which defines how objectives are to be achieved. A policy usually documents how certain items are to be handled. This chapter will consider the term policy in this context as a security policy; i.e. a collection of rules which will control the flow of data and information and define whom will have access to that data and information.
sensitivity: Usually used when discussing MLS. A sensitivity level is a term used to describe how important or secret the data should be. As the sensitivity level increases, so does the importance of the data.
single label: A single label is when the entire file system uses one label to enforce access control over the flow of data. When a file system has this set, which is any time when the multilabel option is not set, all files will conform to the same label setting.
subject: a subject is any active entity that causes information to flow between objects; e.g. a user, user processor, system process, etc. On FreeBSD, this is almost always a thread acting in a process on behalf of a user.