Date: Tue, 29 Jun 2004 13:23:49 -0500 From: Guy Helmer <ghelmer@palisadesys.com> To: Kevin Lyons <kevin_lyons@ofdengineering.com> Cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons Message-ID: <40E1B3B5.1020906@palisadesys.com> In-Reply-To: <40E1A6C0.2040406@ofdengineering.com> References: <40E1A6C0.2040406@ofdengineering.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Lyons wrote: > I was reading with some surprise that some of the MAC and other > "addons" from trusted bsd are to be incorporated. Old news. > I can already see the security advisories for these things like we've > had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad > infinitum. How many of these were developed as part of BSD? One: jail. > Is this the right way to go? We're adding more bloat while openbsd is > cleaning itself and reworking kernal memory allocation to make > exploits near impossible. That's great work. Now, let's build on that so that the entire system is properly compartmentalized (i.e., MAC). > I dloaded 5.2 but haven't installed yet. I hope there is a way to > disable the MAC and other of these "trustedbsd features" that seem to > keep DARPA funded userland people busy. Is it so much harder to look a little more deeply at the sytem than to write a troll/rant? Yes, MAC is a group of kernel compile options, and they are not shipped as part of the GENERIC kernel. From /sys/conf/NOTES: # Support for Mandatory Access Control (MAC): options MAC options MAC_BIBA options MAC_BSDEXTENDED options MAC_DEBUG options MAC_IFOFF options MAC_LOMAC options MAC_MLS options MAC_NONE options MAC_PARTITION options MAC_PORTACL options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST Please take a look at the TrustedBSD implementation before ranting about "DARPA funded userland people". There are good reasons why these people were funded. Guy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40E1B3B5.1020906>