From owner-p4-projects@FreeBSD.ORG Fri Jan 30 10:31:45 2004 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id BF36516A4D0; Fri, 30 Jan 2004 10:31:44 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AE1016A4CE for ; Fri, 30 Jan 2004 10:31:44 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14DEE43D41 for ; Fri, 30 Jan 2004 10:31:42 -0800 (PST) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.10/8.12.10) with ESMTP id i0UIVf0B030920 for ; Fri, 30 Jan 2004 10:31:41 -0800 (PST) (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.10/8.12.10/Submit) id i0UIVfpF030914 for perforce@freebsd.org; Fri, 30 Jan 2004 10:31:41 -0800 (PST) (envelope-from areisse@nailabs.com) Date: Fri, 30 Jan 2004 10:31:41 -0800 (PST) Message-Id: <200401301831.i0UIVfpF030914@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 46207 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 18:31:45 -0000 http://perforce.freebsd.org/chv.cgi?CH=46207 Change 46207 by areisse@areisse_ibook on 2004/01/30 10:30:40 Document build procedure for init and bootloader, and configuring the bootloader to load the sebsd policy. Affected files ... .. //depot/projects/trustedbsd/sedarwin/bootstrap_instructions.txt#24 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/bootstrap_instructions.txt#24 (text+ko) ==== @@ -162,6 +162,30 @@ make ; sudo make install cd .. +Step 9.1: Build and install modified MiG program + cd apsl/bootstrap_cmds/migcom.tproj + make ; sudo make install + cd ../../.. + + This mig program is compatible with old kernels as well, as long as the + new features are not used. + +Step 9.2: Build modified mach_init + cd apsl/system_cmds/mach_init.tproj + make ; sudo make install + cd ../../.. + +Step 9.3: Build modified bootloader + The modified bootloader is necessary to read the security policy before + the root filesystem is available. It might work with other kernels as + well. + BEFORE installing this bootloader, make sure you have a working backup + partition (that boots) on the same machine. + cd apsl/BootX + chmod u+w bootx.tproj/bootinfo.hdr + make + sudo cp bootx.bootinfo /System/Library/CoreServices/BootX + Step 10: Build, Install wslogin and WindowServer wrapper In order to allow users to select roles during GUI login, you must @@ -190,22 +214,16 @@ Step 11: Build SEDarwin Sample Policy - We provide a minimal sample policy; due to current limitations in loading the - policy at boot-time, we link the sample policy directly into the Darwin kernel - (yes, this is just temporary!). When the policy is built, you end up with - a policy.h file that will get copied into the XNU tree for the kernel build. - Our sample policy file ships with three users: root, andrew, and rwatson. Chances are, you'll want to add a line for your own user based on one of those lines. cd policy - make ; make install + make + sudo cp policy.16 / + sudo nvram load_sebsd_policy=policy.16 cd .. - Until we have this fixed, remember that when you change the policy, you need - to re-install and remake the XNU kernel. - Step 12: Build XNU NOTE: If you skipped the long and tedious elements of Step 2 above, @@ -306,10 +324,10 @@ /sbin/fsck -y /sbin/mount -uw / - Now set the label on the WindowServer binary so that it can transition - during login: + Now set the label on various binaries so they can transition + during system startup: - setfmac sebsd/system_u:object_r:login_exec_t \ - /System/Library/CoreServices/RealWindowServer + cd policy; make relabel - Missing this step will result in login attempts failing. + Missing this step will result in login attempts failing, or + the entire system not working if enforcing mode is enabled.