From owner-freebsd-questions@FreeBSD.ORG  Mon Jun 16 13:51:03 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BE3BA1065670
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Jun 2008 13:51:03 +0000 (UTC)
	(envelope-from jeffrey@goldmark.org)
Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com
	[66.111.4.27]) by mx1.freebsd.org (Postfix) with ESMTP id 916CF8FC12
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Jun 2008 13:51:03 +0000 (UTC)
	(envelope-from jeffrey@goldmark.org)
Received: from compute1.internal (compute1.internal [10.202.2.41])
	by out1.messagingengine.com (Postfix) with ESMTP id DB18E11E23E;
	Mon, 16 Jun 2008 09:51:02 -0400 (EDT)
Received: from heartbeat2.messagingengine.com ([10.202.2.161])
	by compute1.internal (MEProxy); Mon, 16 Jun 2008 09:51:02 -0400
X-Sasl-enc: PEaS2qOqqqirAWqqWGt1F/Tk1KW227hDDiidoL8RQ+qj 1213624262
Received: from hagrid.ewd.goldmark.org (n114.ewd.goldmark.org [72.64.118.114])
	by mail.messagingengine.com (Postfix) with ESMTPSA id 5CFD2204F2;
	Mon, 16 Jun 2008 09:51:02 -0400 (EDT)
Message-Id: <AFE68B39-2732-4338-B561-F24CB19A23B6@goldmark.org>
From: Jeffrey Goldberg <jeffrey@goldmark.org>
To: Bill Moran <wmoran@potentialtech.com>
In-Reply-To: <20080616082125.7dd23b70.wmoran@potentialtech.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v924)
Date: Mon, 16 Jun 2008 08:51:01 -0500
References: <1213611664.6398.275.camel@phoenix.blechhirn.net>
	<20080616082125.7dd23b70.wmoran@potentialtech.com>
X-Mailer: Apple Mail (2.924)
Cc: FreeBSD List <freebsd-questions@freebsd.org>
Subject: Re: Enforce minimal file/ dir permissions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jun 2008 13:51:03 -0000

On Jun 16, 2008, at 7:21 AM, Bill Moran wrote:

> Look at MAC and the bsdextended module (filesystem firewall):
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-bsdextended.html

I've recently been looking at those myself, and while I think that I  
have developed some limited understanding "in principle" about how MAC  
works, I need a great deal more practical guidance.  Is there some  
extended tutorial with cookbook or other resource that will actually  
help someone who doesn't fully grok this work out a policy and rules  
that will do more good than harm?

Yes, I've used google, but haven't yet come across what I need.

Cheers,

-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/