Date: Wed, 31 Jul 2002 08:26:46 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15311 for review Message-ID: <200207311526.g6VFQk4x084429@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15311 Change 15311 by rwatson@rwatson_tislabs on 2002/07/31 08:26:17 Update MAC notes. Affected files ... .. //depot/projects/trustedbsd/mac/MACREADME#20 edit Differences ... ==== //depot/projects/trustedbsd/mac/MACREADME#20 (text+ko) ==== @@ -22,21 +22,16 @@ others may be loaded when needed before or after the boot. The following loader.conf lines are currently relevant: -babyaudit_load="NO" # Baby auditing module mac_biba_load="NO" # Biba MAC policy (boot only) mac_bsdextended_load="NO" # BSD/extended MAC policy mac_ifoff="NO" # Interface silencing policy mac_mls_load="NO" # MLS MAC policy (boot only) mac_none_load="NO" # Null MAC policy +mac_partition_load="NO" # Partition MAC policy mac_seeotheruids_load="NO" # UID visbility MAC policy mac_te_load="NO" # Type Enforcement policy (boot only) - -To include support for SEBSD, a port of the NSA FLASK and SELinux TE -implementations, add the following kernel option: +sebsd_load="NO" # Port of SELinux/FLASK (boot only) -options SEBSD - -This will be available as a module also in due course. Kernel options known not to work with MAC ----------------------------------------- @@ -54,6 +49,7 @@ Using those options may result in incorrect security behavior, memory corruption, or a kernel panic. They do not work with MAC at this time. +They should work correctly using GENERIC. Kernel SLIP support may not work correctly, as outgoing mbufs are not labeled due to lack of a label to apply. Probably, the label should be @@ -82,13 +78,15 @@ The NFS server code in many places currently ignores MAC protection. This may or may not be the best behavior, as in the past NFS could always override discretionary access control due to running in the -kernel as root all the time. CODA support is probably in the same +kernel as root all the time. However, because NFS sometimes invokes +higher level VFS functionality, such as namei(), MAC protections +may be inconsistently enforced. CODA support is probably in the same condition. -Currently, non-FreeBSD ABIs are not supported. This includes the Linux -compatibility layer, and other related components (SCO, et al). They -will likely not correctly check MAC operations in all cases that the -normal FreeBSD ABI code does. +Currently, non-FreeBSD ABIs are not fully supported. This includes +the Linux compatibility layer, and other related components (SCO, et al). +They will likely not correctly check MAC operations in all cases that the +normal FreeBSD ABI code does; the status of the ABIs is improving. Client-side NFS locking is known to Do The Wrong Thing, for a variety of reasons. Unlike the other components of the kernel NFS client, @@ -118,7 +116,7 @@ Don't use netboot without setting the loader.conf setting to indicate to Biba which interface is trusted. Otherwise, the NFS client will -fail as it cannot send packets via the interface. +fail as it cannot send packets via the interface. (This may be broken). Things that look like they should work but don't ------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207311526.g6VFQk4x084429>