From owner-p4-projects Fri May 10 12:36:18 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 21B0937B403; Fri, 10 May 2002 12:36:11 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 20CC637B401 for ; Fri, 10 May 2002 12:36:10 -0700 (PDT) Received: (from perforce@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g4AJa9l94358 for perforce@freebsd.org; Fri, 10 May 2002 12:36:09 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Fri, 10 May 2002 12:36:09 -0700 (PDT) Message-Id: <200205101936.g4AJa9l94358@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 11133 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=11133 Change 11133 by rwatson@rwatson_curry on 2002/05/10 12:35:16 - Update the list of options to reflect recent changes to modules - Mention SEBSD, and that it will become a module sometime - Talk about loader.conf to load modules - Update the list of known broken options - Remove the proc0/proc1 issue from the issues list, we fixed it Affected files ... ... //depot/projects/trustedbsd/mac/MACREADME#16 edit Differences ... ==== //depot/projects/trustedbsd/mac/MACREADME#16 (text+ko) ==== @@ -7,10 +7,6 @@ Add the following to your kernel configuration: options MAC -options MAC_BIBA # Biba support -options MAC_MLS # MLS support -options MAC_TE # TE support -options MAC_BSDEXTENDED # BSD/extended MAC policy support Rebuild and reinstall world and kernel. Make sure that login.conf is in sync with that provided in the MAC repository, and that login.conf.db @@ -21,16 +17,40 @@ integrating MAC into the VFS name lookup code. These warnings will be resolved prior to 5.0-RELEASE. +There are a variety of MAC modules installed in /boot/kernel following +an installkernel. Some must be loaded prior to boot in the loader; +others may be loaded when needed before or after the boot. The +following loader.conf lines are currently relevant: + +babyaudit_load="NO" # Baby auditing module +mac_biba_load="NO" # Biba MAC policy (boot only) +mac_bsdextended_load="NO" # BSD/extended MAC policy +mac_ifoff="NO" # Interface silencing policy +mac_mls_load="NO" # MLS MAC policy (boot only) +mac_none_load="NO" # Null MAC policy +mac_seeotheruids_load="NO" # UID visbility MAC policy +mac_te_load="NO" # Type Enforcement policy (boot only) + +To include support for SEBSD, a port of the NSA FLASK and SELinux TE +implementations, add the following kernel option: + +options SEBSD + +This will be available as a module also in due course. + Kernel options known not to work with MAC ----------------------------------------- -options INET6 -options IPSEC -options NCP -options NETATM -options NETGRAPH -options NETSMB -options NFSSERVER +options INET6 # Mostly works +options IPSEC # Sort of works +options NCP # Might work +options NETATALK # Might work +options NETATM # Also might work +options NETGRAPH # Probably doesn't work +options NETSMB # Could well work +options NFSSERVER # Probably doesn't work +options NWFS # Probably doesn't work +options SMPFS # Probably doesn't work Using those options may result in incorrect security behavior, memory corruption, or a kernel panic. They do not work with MAC at this time. @@ -100,7 +120,4 @@ Things that look like they should work but don't ------------------------------------------------ -mac_create_proc0() has no effect, as it uses the same credentials as -mac_create_proc1(), which is called after mac_create_proc0(). To fix -this, those credentials must be divorced prior to running -mac_create_proc1(). +Nothing on this list right now. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message