Date: Fri, 10 May 2002 12:36:09 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 11133 for review Message-ID: <200205101936.g4AJa9l94358@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=11133 Change 11133 by rwatson@rwatson_curry on 2002/05/10 12:35:16 - Update the list of options to reflect recent changes to modules - Mention SEBSD, and that it will become a module sometime - Talk about loader.conf to load modules - Update the list of known broken options - Remove the proc0/proc1 issue from the issues list, we fixed it Affected files ... ... //depot/projects/trustedbsd/mac/MACREADME#16 edit Differences ... ==== //depot/projects/trustedbsd/mac/MACREADME#16 (text+ko) ==== @@ -7,10 +7,6 @@ Add the following to your kernel configuration: options MAC -options MAC_BIBA # Biba support -options MAC_MLS # MLS support -options MAC_TE # TE support -options MAC_BSDEXTENDED # BSD/extended MAC policy support Rebuild and reinstall world and kernel. Make sure that login.conf is in sync with that provided in the MAC repository, and that login.conf.db @@ -21,16 +17,40 @@ integrating MAC into the VFS name lookup code. These warnings will be resolved prior to 5.0-RELEASE. +There are a variety of MAC modules installed in /boot/kernel following +an installkernel. Some must be loaded prior to boot in the loader; +others may be loaded when needed before or after the boot. The +following loader.conf lines are currently relevant: + +babyaudit_load="NO" # Baby auditing module +mac_biba_load="NO" # Biba MAC policy (boot only) +mac_bsdextended_load="NO" # BSD/extended MAC policy +mac_ifoff="NO" # Interface silencing policy +mac_mls_load="NO" # MLS MAC policy (boot only) +mac_none_load="NO" # Null MAC policy +mac_seeotheruids_load="NO" # UID visbility MAC policy +mac_te_load="NO" # Type Enforcement policy (boot only) + +To include support for SEBSD, a port of the NSA FLASK and SELinux TE +implementations, add the following kernel option: + +options SEBSD + +This will be available as a module also in due course. + Kernel options known not to work with MAC ----------------------------------------- -options INET6 -options IPSEC -options NCP -options NETATM -options NETGRAPH -options NETSMB -options NFSSERVER +options INET6 # Mostly works +options IPSEC # Sort of works +options NCP # Might work +options NETATALK # Might work +options NETATM # Also might work +options NETGRAPH # Probably doesn't work +options NETSMB # Could well work +options NFSSERVER # Probably doesn't work +options NWFS # Probably doesn't work +options SMPFS # Probably doesn't work Using those options may result in incorrect security behavior, memory corruption, or a kernel panic. They do not work with MAC at this time. @@ -100,7 +120,4 @@ Things that look like they should work but don't ------------------------------------------------ -mac_create_proc0() has no effect, as it uses the same credentials as -mac_create_proc1(), which is called after mac_create_proc0(). To fix -this, those credentials must be divorced prior to running -mac_create_proc1(). +Nothing on this list right now. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205101936.g4AJa9l94358>