From owner-freebsd-security@FreeBSD.ORG Fri May 12 00:23:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E559C16A40F for ; Fri, 12 May 2006 00:23:54 +0000 (UTC) (envelope-from BORJAMAR@sarenet.es) Received: from smtp1.sarenet.es (smtp1.sarenet.es [194.30.0.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9E8143EBB for ; Thu, 11 May 2006 23:56:17 +0000 (GMT) (envelope-from BORJAMAR@sarenet.es) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by smtp1.sarenet.es (Postfix) with ESMTP id BE51EFB; Fri, 12 May 2006 01:56:15 +0200 (CEST) In-Reply-To: <8e96a0b90605111209l7620bff8u7261d20ac708879f@mail.gmail.com> References: <20060504172309.D17611@fledge.watson.org> <8e96a0b90605111209l7620bff8u7261d20ac708879f@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Borja Marcos Date: Fri, 12 May 2006 01:56:15 +0200 To: mal content X-Mailer: Apple Mail (2.749.3) Cc: freebsd-security@freebsd.org Subject: Re: MAC policies and shared hosting X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 00:23:55 -0000 > Unfortunately the MAC framework just doesn't seem to get > as much attention as I'd like. I think the problem was > that the TrustedBSD project seemed very 'closed' in that the > site was quite rarely updated and it was difficult to get news > on developments. It seemed, for a long time, that nobody was > interested in it. Well, I am loving it, really. > It'd be nice to see a ton of tutorials, papers and documentation > for it. I personally would write quite a bit on it if I could get > started > but unfortunately my 'expertise' begins and ends at the web server > example in the handbook. > > I think also the MAC framework is perceived as being too difficult > to use and too detached from FreeBSD itself. Hopefully the latter > will improve when BSM is integrated with the system and the > former is entirely subjective anyway. Well, as you increase security there is a tradeoff. But I'm trying to come up with a reasonable balance between security and convenience. Deploying it has important consequences on operations like, for example, a make world. You must be aware of it. I'm trying to do it in the Apple way: make it simple enough to be usable, but make it strong enough :) Borja.