Date: Fri, 15 Feb 2008 13:31:05 +0100 From: Borja Marcos <BORJAMAR@SARENET.ES> To: freebsd-security@freebsd.org Subject: MAC subsystem problem (FreeBSD 7) Message-ID: <D2D61EC2-6A67-4F7F-B252-FF2318FFF1CF@SARENET.ES>
next in thread | raw e-mail | index | archive | help
Hello, I'm trying to set up a DNS server under FreeBSD using the mac_biba policy. I use to run bind in low-integrity mode, so that neither it or any of its descendants can modify configuration files, etc. With previous FreeBSD versions there was a handy sysctl setting, "security.mac.enforce_socket" that allowed to bypass the MAC restrictions for a socket. I think it's not a bad idea. After all machines can communicate with untrusted nodes over a network. In my opinion, enforcing the mac_biba restrictions so that a network communication with a local process behaves _differently_ than a network communication with a different node is a bad idea. Any reason why this setting has been eliminated? I think that the best solution is to keep it and let the administrator decide. Best regards, Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D2D61EC2-6A67-4F7F-B252-FF2318FFF1CF>