Every module included with the MAC framework may be
either compiled into the kernel as noted above or loaded as a run-time kernel module. The
recommended method is to add the module name to the /boot/loader.conf file so that it will load during the initial boot
operation.
The following sections will discuss the various MAC
modules and cover their features. Implementing them into a specific environment will also
be a consideration of this chapter. Some modules support the use of labeling, which is
controlling access by enforcing a label such as “this is allowed and this is
not”. A label configuration file may control how files may be accessed, network
communication can be exchanged, and more. The previous section showed how the multilabel
flag could be set on file systems to enable per-file or
per-partition access control.
A single label configuration would enforce only one label across the system, that is
why the tunefs option is called multilabel
.