Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Feb 2008 02:19:50 +0000 (GMT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Borja Marcos <BORJAMAR@SARENET.ES>
Cc:        freebsd-security@freebsd.org
Subject:   Re: MAC subsystem problem (FreeBSD 7)
Message-ID:  <20080218021649.L96329@fledge.watson.org>
In-Reply-To: <D2D61EC2-6A67-4F7F-B252-FF2318FFF1CF@SARENET.ES>
References:  <D2D61EC2-6A67-4F7F-B252-FF2318FFF1CF@SARENET.ES>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 15 Feb 2008, Borja Marcos wrote:

> I'm trying to set up a DNS server under FreeBSD using the mac_biba policy. I 
> use to run bind in low-integrity mode, so that neither it or any of its 
> descendants can modify configuration files, etc.
>
> With previous FreeBSD versions there was a handy sysctl setting, 
> "security.mac.enforce_socket" that allowed to bypass the MAC restrictions 
> for a socket. I think it's not a bad idea. After all machines can 
> communicate with untrusted nodes over a network. In my opinion, enforcing 
> the mac_biba restrictions so that a network communication with a local 
> process behaves _differently_ than a network communication with a different 
> node is a bad idea.
>
> Any reason why this setting has been eliminated? I think that the best 
> solution is to keep it and let the administrator decide.

Borja,

The interface was removed on the basis that it was a debugging setting, and in 
some cases can lead to the incorrect behavior of policies (for example, lomac, 
although not biba).  The interface should actually be implemented within the 
policy so that policies still receive the entry points, but decide to ignore 
them for policy reasons, rather than preventing the entry points from being 
made to the policy.  However, we can add them to individual policies, 
especially if they are useful.  Could I ask you to file a PR for this issue, 
and forward me the PR receipt?  I probably won't get to this for a week or 
two, but would be happy to investigate making the change to reintroduce object 
class controls of the same sort in biba (and the other policies).

Just to be clear: the problem you're running into is that loopback network 
connections are controlled by biba, preventing certain loopback operations?

Robert N M Watson
Computer Laboratory
University of Cambridge



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080218021649.L96329>