# Implementing MAC BIBA for login user



## skeleton616 (Jun 27, 2021)

I have followed the documentation with regards to the MAC BIBA policy and I am trying to create a separate Biba range on the regular user and the root user but nothing seems to be working. No matter what I change in the /etc/login.conf file the regular and root user always have the Biba range of "biba/high(low-high)."

I am just trying to change the regular user to have a range of biba/low(low-low) and the root user to have a range of biba/high(low-high) for testing purposes. Everytime I add the :label=biba/low(low-low) to the default user in the /etc/login.conf file and then build using cap_mkdf /etc/login.conf nothing happens at all. Any help is appreciated it as no matter where I look nothing seems to fix my problem.


----------



## T-Daemon (Jun 27, 2021)

Works here (on 13.0-RELEASE):

/boot/loader.conf

```
mac_biba_load="YES"
```

Reboot system.

/etc/login.conf

```
biba:\
             :label=biba/low(low-low):\
             :tc=default:
```


```
# cap_mkdb /etc/login.conf
```

Set login class 'biba' for user 'test'.


```
test@fbsd13:~ % getpmac
biba/low(low-low)
```


```
root@fbsd13:~ # getpmac
biba/high(low-high)
```

Maybe you have a typo in /etc/login.conf.


----------



## skeleton616 (Jun 28, 2021)

Can you paste your whole /etc/login.conf file? And how do you set the login class 'biba' to the user 'test'?


----------



## SirDice (Jun 28, 2021)

skeleton616 said:


> And how do you set the login class 'biba' to the user 'test'?


The other way around, you set the user to the class.


```
-L class      This option sets the login class for the user being
                   created.  See login.conf(5) and passwd(5) for more
                   information on user login classes.
```
See pw(8): `pw usermod myuser -L biba`


----------



## T-Daemon (Jun 28, 2021)

SirDice said:


> The other way around, you set the user to the class.


Corrected.




skeleton616 said:


> Can you paste your whole /etc/login.conf file?


The login.conf I have is the default which comes with 13.0-RELEASE. I added the 'biba' class you see in the `Code:` box beneath the 'default' class. The line `:tc=default:` forwards the 'biba' class to the 'default' class.



skeleton616 said:


> And how do you set the login class 'biba' to the user 'test'?


Besides what SirDice suggested, which is the most convenient form, alternatively chsh(1) <username> executed as root can be used and the 'Class:' field edited or vipw(8) and the class set in the fifth field (see passwd(5)).

After cap_mkdb(1) and the 'biba' class set for the user, to take effect of the login class, the user if logged in needs to log out and log in again.

For why it's not working for you I suspect a typo in your login.conf, a missing backslash or double point.


----------



## skeleton616 (Jun 29, 2021)

Alright thanks I got it working now. So if I wanted to change the label for the default would I just add the label to the default section? I was thinking about just having the root user have a label of biba/high(high-high) and then the biba/myuser have a label of biba/low(low-high).


----------



## T-Daemon (Jun 29, 2021)

skeleton616 said:


> So if I wanted to change the label for the default would I just add the label to the default section?


Yes, that's all it takes.


----------



## skeleton616 (Jun 30, 2021)

Thanks for the help.


----------

