Date: Tue, 11 Feb 2014 18:27:25 +0100 From: Andreas Jonsson <andreas@romab.com> To: freebsd-security@freebsd.org Subject: Re: Proposal: tunable default/init label for MAC policies Message-ID: <52FA5D7D.9010402@romab.com> In-Reply-To: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> References: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-02-11 11:28, Borja Marcos wrote: <snip> > A tunable like security.mac.{mls,biba...}.default_label or, maybe, > more appropiately, security.{mac,biba...}.init_lable would allow the > administrator to, for example, limit the usage of the MAC policies to > descendants of certain processes. In our case, with most of the OS > having the usual Unix security requirements, except for the > intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels > of {mls,biba}/equal would be more than enough, applying the necessary > labels to the untrusted processes. > > What do you think? I am sure this makes the MAC policies much more > useful, and much easier to integrate with the typical Unix software > without unnecessary incompatibilities, and of course not just for our > particular scenario. > > Borja. Hi list, I think that being able to set the MAC process label from rc.conf would be a better and more flexible way of moving forward, so that modifying rc-scripts everywhere would be unnecessary. Thinking about how to handle this in the contexts of jails would also be nice. Currently using jail_poststart_exec to jexec with the correct label is a bit of a pain. Perhaps there is a better way that i am unaware of? br andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52FA5D7D.9010402>