Date: Tue, 11 Feb 2014 18:27:25 +0100 From: Andreas Jonsson <andreas@romab.com> To: freebsd-security@freebsd.org Subject: Re: Proposal: tunable default/init label for MAC policies Message-ID: <52FA5D7D.9010402@romab.com> In-Reply-To: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> References: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-02-11 11:28, Borja Marcos wrote:
<snip>
> A tunable like security.mac.{mls,biba...}.default_label or, maybe,
> more appropiately, security.{mac,biba...}.init_lable would allow the
> administrator to, for example, limit the usage of the MAC policies to
> descendants of certain processes. In our case, with most of the OS
> having the usual Unix security requirements, except for the
> intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels
> of {mls,biba}/equal would be more than enough, applying the necessary
> labels to the untrusted processes.
>
> What do you think? I am sure this makes the MAC policies much more
> useful, and much easier to integrate with the typical Unix software
> without unnecessary incompatibilities, and of course not just for our
> particular scenario.
>
> Borja.
Hi list,
I think that being able to set the MAC process label from rc.conf would
be a better and more flexible way of moving forward, so that modifying
rc-scripts everywhere would be unnecessary.
Thinking about how to handle this in the contexts of jails would also be
nice. Currently using jail_poststart_exec to jexec with the correct
label is a bit of a pain. Perhaps there is a better way that i am
unaware of?
br
andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52FA5D7D.9010402>