Date: Wed, 14 Aug 2002 07:38:56 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15966 for review Message-ID: <200208141438.g7EEcuFO071108@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15966 Change 15966 by rwatson@rwatson_tislabs on 2002/08/14 07:37:57 Updates to the MAC notes, including commenting on the fact that running X11 with MLS can result in problems, as kernel memory is currently labeled as mls/high by default, but user processes run at mls/low by default. Affected files ... .. //depot/projects/trustedbsd/mac/MACREADME#21 edit Differences ... ==== //depot/projects/trustedbsd/mac/MACREADME#21 (text+ko) ==== @@ -92,7 +92,8 @@ of reasons. Unlike the other components of the kernel NFS client, it doesn't use the mount-time credential to authorize out-going RPC delivery, uses an odd selection of kernel credential to act on the -FIFO, etc. +FIFO, etc. (This is now largely fixed due to moving VFS protections +higher in the stack) Things not to do with MAC ------------------------- @@ -116,7 +117,12 @@ Don't use netboot without setting the loader.conf setting to indicate to Biba which interface is trusted. Otherwise, the NFS client will -fail as it cannot send packets via the interface. (This may be broken). +fail as it cannot send packets via the interface. + +Don't expect X11 to work with MLS enabled if you try to run X11 at +mls/low (the default). This won't work because XFree86 expects to +be able to map video memory, and by default video memory is labeled +as mls/high so as to be conservative. Things that look like they should work but don't ------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208141438.g7EEcuFO071108>