From owner-freebsd-security@FreeBSD.ORG Wed Jul 5 15:17:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDCBA16A4DA; Wed, 5 Jul 2006 15:17:45 +0000 (UTC) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABDEE43D49; Wed, 5 Jul 2006 15:17:44 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id k65FHguE053728; Thu, 6 Jul 2006 01:17:42 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id k65FHg61044302; Thu, 6 Jul 2006 01:17:42 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200607051517.k65FHg61044302@app.auscert.org.au> To: Colin Percival from: freebsd-security@auscert.org.au In-Reply-To: Message from Colin Percival of "Fri, 30 Jun 2006 20:13:44 MST." <44A5E868.60508@freebsd.org> Date: Thu, 06 Jul 2006 01:17:42 +1000 Cc: freebsd-security@freebsd.org, "Dolan- Gavitt, Brendan F." Subject: Re: Determining vulnerability to issues described by SAs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2006 15:17:45 -0000 Hi Colin, On Fri, 30 Jun 2006 20:13:44 -0700, Colin Percival wrote: >Dolan- Gavitt, Brendan F. wrote: >> I've been trying for the past few days to come up with a method for >> checking a FreeBSD system to see if it is vulnerable to an issue >> described by a FreeBSD security advisory in some automated way [...] This is an issue I also have given some thought to. ... >> I'm fairly new to FreeBSD, so I may just be missing something >> here--is there a reliable way to determine if a system is patched >> according to a particular security advisory? > >In short, no. If you have any ideas, let me know. :-) I've been canonically rebuilding my systems for each patch (or at least every time a vulnerability affects my hosts) to cover this very issue, even if a rebuild isn't strictly necessary. In addition to this, however, I usually generate an mtree file from a pre-production installation so that I can compare any given build with running systems to identify changes, such as those occurring as a result of patching - kind of like a base 'tripwire', in fact. Would this be a solution? Each advisory could come with a custom mtree file that covers the affected files explicitly and/or another mtree file that covers the files for this patch _and_ for all previous patches up to that point; you could name the mtree after the patchlevel eg RELENG_5_3.mtree.p31 - this should work, regardless of how the patch was applied as the end result is (almost?) always the same at the binary level. regards, -- Joel Hatton -- Infrastructure Manager | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au From owner-freebsd-security@FreeBSD.ORG Wed Jul 5 15:41:21 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04E7716A4DA for ; Wed, 5 Jul 2006 15:41:21 +0000 (UTC) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F14743D5D for ; Wed, 5 Jul 2006 15:41:19 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id 054D34C5C6 for ; Wed, 5 Jul 2006 08:41:19 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k65FfIG8034277 for ; Wed, 5 Jul 2006 08:41:18 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Resent-Message-Id: <200607051541.k65FfIG8034277@cwsys.cwsent.com> Received: from spqr.komquats.com (cwfw [10.1.1.254]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k65Fdk7u034242 for ; Wed, 5 Jul 2006 08:39:46 -0700 (PDT) (envelope-from owner-freebsd-ports@freebsd.org) Received: by spqr.komquats.com (Postfix) id E55BF4C60B; Wed, 5 Jul 2006 08:39:45 -0700 (PDT) Delivered-To: cy@komquats.com Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by spqr.komquats.com (Postfix) with ESMTP id 8D7F34C60A for ; Wed, 5 Jul 2006 08:39:45 -0700 (PDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 1264A5BA84; Wed, 5 Jul 2006 15:39:39 +0000 (GMT) (envelope-from owner-freebsd-ports@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 1706016A52F; Wed, 5 Jul 2006 15:39:36 +0000 (UTC) (envelope-from owner-freebsd-ports@freebsd.org) X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EA1116A4DD for ; Wed, 5 Jul 2006 15:39:31 +0000 (UTC) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F95943D55 for ; Wed, 5 Jul 2006 15:39:31 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id EFECE4C5C6 for ; Wed, 5 Jul 2006 08:39:29 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k65FdRet034238 for ; Wed, 5 Jul 2006 08:39:27 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200607051539.k65FdRet034238@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-ports@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 Jul 2006 08:39:27 -0700 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Sender: owner-freebsd-ports@freebsd.org Errors-To: owner-freebsd-ports@freebsd.org Resent-To: freebsd-security@freebsd.org Resent-Date: Wed, 05 Jul 2006 08:41:18 -0700 Resent-From: Cy Schubert Cc: Subject: HEADS UP: Krb5-1.5 X-BeenThere: freebsd-security@freebsd.org Reply-To: Cy Schubert List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2006 15:41:21 -0000 There is an issue with the new Kerberos 1.5. It does not currently support building static libraries. I'm willing to leave the port at 1.4.3 until MIT fixes the static library build. OTOH, if folks want 1.5, without static library support, the 1.5 port is ready to commit. I may update the port to build 1.5 if static libraries are not wanted and build 1.4.3 if they are wanted. Static libraries are not a high priority for the Kerberos project at the moment. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org e**(i*pi)+1=0 _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Jul 5 18:25:21 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7A3316A4E0 for ; Wed, 5 Jul 2006 18:25:21 +0000 (UTC) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FDBD43D6A for ; Wed, 5 Jul 2006 18:25:20 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id 8E6474C5C6 for ; Wed, 5 Jul 2006 11:25:19 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k65IPISl041803 for ; Wed, 5 Jul 2006 11:25:18 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Date: Wed, 5 Jul 2006 11:25:18 -0700 (PDT) From: Cy Schubert Message-Id: <200607051825.k65IPISl041803@cwsys.cwsent.com> Prev-Resent: Wed, 05 Jul 2006 08:41:19 -0700 Prev-Resent: freebsd-security@freebsd.org To: undisclosed-recipients:; X-Mailman-Approved-At: Wed, 05 Jul 2006 18:43:01 +0000 Subject: (no subject) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2006 18:25:21 -0000 >From owner-freebsd-ports@freebsd.org Wed Jul 5 08: 39:46 2006 Received: from spqr.komquats.com (cwfw [10.1.1.254]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k65Fdk7u034242 for ; Wed, 5 Jul 2006 08:39:46 -0700 (PDT) (envelope-from owner-freebsd-ports@freebsd.org) Received: by spqr.komquats.com (Postfix) id E55BF4C60B; Wed, 5 Jul 2006 08:39:45 -0700 (PDT) Delivered-To: cy@komquats.com Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by spqr.komquats.com (Postfix) with ESMTP id 8D7F34C60A for ; Wed, 5 Jul 2006 08:39:45 -0700 (PDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 1264A5BA84; Wed, 5 Jul 2006 15:39:39 +0000 (GMT) (envelope-from owner-freebsd-ports@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 1706016A52F; Wed, 5 Jul 2006 15:39:36 +0000 (UTC) (envelope-from owner-freebsd-ports@freebsd.org) X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EA1116A4DD for ; Wed, 5 Jul 2006 15:39:31 +0000 (UTC) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F95943D55 for ; Wed, 5 Jul 2006 15:39:31 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id EFECE4C5C6 for ; Wed, 5 Jul 2006 08:39:29 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k65FdRet034238 for ; Wed, 5 Jul 2006 08:39:27 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200607051539.k65FdRet034238@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-ports@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 05 Jul 2006 08:39:27 -0700 Subject: HEADS UP: Krb5-1.5 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-ports@freebsd.org Errors-To: owner-freebsd-ports@freebsd.org Resent-To: freebsd-security@freebsd.org Resent-Date: Wed, 05 Jul 2006 11:25:18 -0700 Resent-From: Cy Schubert There is an issue with the new Kerberos 1.5. It does not currently support building static libraries. I'm willing to leave the port at 1.4.3 until MIT fixes the static library build. OTOH, if folks want 1.5, without static library support, the 1.5 port is ready to commit. I may update the port to build 1.5 if static libraries are not wanted and build 1.4.3 if they are wanted. Static libraries are not a high priority for the Kerberos project at the moment. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org e**(i*pi)+1=0 _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Jul 6 14:25:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5428616A4DE; Thu, 6 Jul 2006 14:25:13 +0000 (UTC) (envelope-from Cy.Schubert@komquats.com) Received: from spqr.komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9349843D45; Thu, 6 Jul 2006 14:25:12 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by spqr.komquats.com (Postfix) with ESMTP id C98314C5C6; Thu, 6 Jul 2006 07:25:11 -0700 (PDT) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.6/8.13.6) with ESMTP id k66EPBto054014; Thu, 6 Jul 2006 07:25:11 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200607061425.k66EPBto054014@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: freebsd-ports@freebsd.org, freebsd-security@freebsd.org In-Reply-To: Your message of "Wed, 05 Jul 2006 08:39:27 PDT." <200607051539.k65FdRet034238@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 06 Jul 2006 07:25:11 -0700 Sender: Cy.Schubert@komquats.com Cc: Subject: Re: HEADS UP: Krb5-1.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jul 2006 14:25:13 -0000 In message <200607051539.k65FdRet034238@cwsys.cwsent.com>, Cy Schubert writes: > There is an issue with the new Kerberos 1.5. It does not currently support > building static libraries. I'm willing to leave the port at 1.4.3 until MIT > fixes the static library build. OTOH, if folks want 1.5, without static > library support, the 1.5 port is ready to commit. I may update the port to > build 1.5 if static libraries are not wanted and build 1.4.3 if they are > wanted. Static libraries are not a high priority for the Kerberos project > at the moment. There is no simple solution to the problem. Now that Kerberos supports plugins, static linking is no longer supported, at least not until the Kerberos development team has thought through the issue of how to handle plugins in a statically linked environment. I will commit the krb5 1.5 upgrade to the port as soon as I finish up the pkg-plist. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org e**(i*pi)+1=0 From owner-freebsd-security@FreeBSD.ORG Sat Jul 8 00:30:19 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 255C916A4E1; Sat, 8 Jul 2006 00:30:19 +0000 (UTC) (envelope-from mi+mx@aldan.algebra.com) Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0024943D4C; Sat, 8 Jul 2006 00:30:14 +0000 (GMT) (envelope-from mi+mx@aldan.algebra.com) Received: from corbulon.video-collage.com (static-151-204-231-237.bos.east.verizon.net [151.204.231.237]) by aldan.algebra.com (8.13.6/8.13.6) with ESMTP id k680UD52000871 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 7 Jul 2006 20:30:14 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) Received: from [172.21.130.86] (mx-broadway [38.98.68.18]) by corbulon.video-collage.com (8.13.6/8.13.6) with ESMTP id k680U7MK038308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Jul 2006 20:30:08 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) From: Mikhail Teterin Organization: Virtual Estates, Inc. To: net@freebsd.org Date: Fri, 7 Jul 2006 20:30:01 -0400 User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200607072030.01999.mi+mx@aldan.algebra.com> X-Virus-Scanned: ClamAV 0.88/1589/Fri Jul 7 10:37:51 2006 on corbulon.video-collage.com X-Virus-Status: Clean X-Scanned-By: MIMEDefang 2.43 X-Mailman-Approved-At: Sat, 08 Jul 2006 01:32:30 +0000 Cc: freebsd-security@freebsd.org, imp@freebsd.org Subject: strange limitation on rcmd() X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 00:30:19 -0000 The manual page says, that rcmd() is only to be used by root's processes. On other OSes (Solaris, AIX), trying to call rcmd() without being root simply fails. FreeBSD, however, tries to be helpful and invokes rcmdsh in this case, which is inefficient and leaves the stderr's filedescriptor (fd2p) unfilled. Why? My understanding is, this is to make it harder for would-be attackers to attack machines with .rhosts-based security. But that is nothing more than a bad band-aid anyway -- attacker's own implementation of rcmd() (without the geteuid() checks) is trivial... So, without providing any meaningful security improvement (who is relying on .rhosts for security anyway?!), we are impeding a very useful functionality. rcmd offers an efficient way to send your data to a command "abroad" and even has a mechanism for getting the remote's stderr -- assuming, your network is secure enough for you to trust .rhosts. Why are we duplicating the misguided efforts of commercial Unixes and limiting it to root only? "Mechanism, not policy", please... -mi From owner-freebsd-security@FreeBSD.ORG Sat Jul 8 10:16:01 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8503616A4E1; Sat, 8 Jul 2006 10:16:01 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 199DF43D58; Sat, 8 Jul 2006 10:16:01 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id BA35E46D00; Sat, 8 Jul 2006 06:16:00 -0400 (EDT) Date: Sat, 8 Jul 2006 11:16:00 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org Message-ID: <20060708111221.M94284@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org Subject: Poll for users: mac_partition and mac_ifoff policies X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 10:16:01 -0000 Dear all, I'm currently in the process of reviewing the use of the MAC Framework in FreeBSD, following meetings at the developer summit about proposed simplifications and enhancements. One of the on-going concerns I have had is that several of the policies we ship are reference implementation policies, rather than reference user policies: mac_ifoff - Interface silencing mac_partition - Process space partitions mac_stub - Stub MAC policy entry points mac_test - Invariants testing While mac_stub and mac_test are both extremely useful for devleopers as shipped, it's not clear to me that mac_ifoff and mac_partition offer significantly similar value, and as they are reference policies rather than production policies, my leaning is to provide them as downloads on the TrustedBSD web site and via p4, but to not ship them with FreeBSD 7.0. So this e-mail is to poll to see if anyone is currently using the mac_ifoff and mac_partition policies in production, and would object on those grounds to shipping them separately from the base OS. Robert N M Watson Computer Laboratory University of Cambridge