From owner-freebsd-current@FreeBSD.ORG Thu Sep 13 18:35:03 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE8AF16A41A for ; Thu, 13 Sep 2007 18:35:03 +0000 (UTC) (envelope-from ricardo.areis@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.freebsd.org (Postfix) with ESMTP id 5036C13C45E for ; Thu, 13 Sep 2007 18:35:03 +0000 (UTC) (envelope-from ricardo.areis@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so516816wxd for ; Thu, 13 Sep 2007 11:35:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=9/JN9AtAPPeELQBL+MFhhSZ7xJ8ghDSBsJNCA/1gm0c=; b=JHgpH24e5CoLX2ZqA+3wRD6xPlr9ygA3VLqiv/bke1xOrp2MK6oU9x10ZYqA931BJ9CetXyykjEfco5P2JkuaUNP/vNz9qKEwx0169xsepFNxe11qbWBYz8US5lWddY677mx3N9gYQDuk7mrFpZEL34ExhIq8FbuiU0rHFuT5l4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=Ad/7Uz9S3Eg+WNK37rua2fK0DCB5MdZ8V7VaGNB91Ws+UkS49KzIrL89cj8xmFKnBl9+r7mL+xlX1pW07YXP6ST8Ftcdj5MAsJF2qI7LiZ3cNgI7bglzZdG+CnESZCkgZNkp0j+MO6NiFr8cs0AYR58S1OOXdnPVx5VmpU5WTcg= Received: by 10.90.63.16 with SMTP id l16mr2275802aga.1189707033531; Thu, 13 Sep 2007 11:10:33 -0700 (PDT) Received: by 10.90.119.1 with HTTP; Thu, 13 Sep 2007 11:10:33 -0700 (PDT) Message-ID: <398a5c890709131110u2c0acc81r3e511a4b4e6a5521@mail.gmail.com> Date: Thu, 13 Sep 2007 15:10:33 -0300 From: "Ricardo A. Reis" To: freebsd-current@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 14 Sep 2007 11:00:11 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Mac lomac/high(low-high) can't see lomac/low(low-low) in FreeBSD 7.0-Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2007 18:35:03 -0000 Hi, I attempt to create a web enviromente with mac_lomac and mac_partition, but root user can't see insecure user. My configurations, teste# kldstat Id Refs Address Size Name 1 10 0xc0400000 903430 kernel 2 1 0xc0d04000 2464 accf_http.ko 3 1 0xc0d07000 1fb4 mac_partition.ko 4 1 0xc0d09000 21b8 mac_seeotheruids.ko 5 1 0xc0d0c000 a5bc mac_lomac.ko 6 1 0xc0d17000 6a2c4 acpi.ko teste# cat /boot/loader.conf|grep -v # accf_http_load="YES" mac_lomac_load="YES" mac_partition_load="YES" security.mac.lomac.trust_all_interfaces=1 mac_seeotheruids_load="YES" teste# cat /etc/mac.conf |grep -v # default_labels file ?biba,?lomac default_labels ifnet ?biba,?lomac default_labels process ?biba,?lomac,?partition default_labels socket ?biba,?lomac login.conf .................... insecure:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin :manpath=/usr/share/man /usr/local/man:\ :nologin=/usr/sbin/nologin:\ :cputime=1h30m:\ :datasize=8M:\ :vmemoryuse=100M:\ :stacksize=2M:\ :memorylocked=4M:\ :memoryuse=8M:\ :filesize=8M:\ :coredumpsize=8M:\ :openfiles=24:\ :maxproc=32:\ :priority=0:\ :requirehome:\ :passwordtime=91d:\ :umask=022:\ :ignoretime@:\ :label=lomac/low(low-low),partition/1: ---------------- default .... .... :label=lomac/high(low-high): ----------------- root user = default class www user = insecure class teste# getpmac lomac/high(low-high),partition/0 ps -Zaxu ----------------------------------------------------------------------------------- LABEL USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND lomac/equal(low-high),partition/0 root 11 100.0 0.0 0 8 ?? RL Wed11AM 1644: 53.86 [idle: cpu3] lomac/equal(low-high),partition/0 root 12 100.0 0.0 0 8 ?? RL Wed11AM 1645: 05.20 [idle: cpu2] lomac/equal(low-high),partition/0 root 13 100.0 0.0 0 8 ?? RL Wed11AM 1645: 03.54 [idle: cpu1] lomac/equal(low-high),partition/0 root 14 100.0 0.0 0 8 ?? RL Wed11AM 1643: 32.38 [idle: cpu0] lomac/equal(low-high),partition/0 root 0 0.0 0.0 0 0 ?? WLs Wed11AM 0:00.01[swapper] lomac/high(low-high),partition/0 root 1 0.0 0.0 1888 464 ?? SLs Wed11AM 0: 00.01 /sbin/init -- lomac/equal(low-high),partition/0 root 2 0.0 0.0 0 8 ?? DL Wed11AM 0:01.90[g_event] lomac/equal(low-high),partition/0 root 3 0.0 0.0 0 8 ?? DL Wed11AM 0:04.99[g_up] lomac/equal(low-high),partition/0 root 4 0.0 0.0 0 8 ?? DL Wed11AM 0:04.25[g_down] lomac/equal(low-high),partition/0 root 5 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[kqueue taskq] lomac/equal(low-high),partition/0 root 6 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[acpi_task_0] lomac/equal(low-high),partition/0 root 7 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[acpi_task_1] lomac/equal(low-high),partition/0 root 8 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[acpi_task_2] lomac/equal(low-high),partition/0 root 9 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[xpt_thrd] lomac/equal(low-high),partition/0 root 10 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[audit] lomac/equal(low-high),partition/0 root 15 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[swi1: net] lomac/equal(low-high),partition/0 root 16 0.0 0.0 0 8 ?? WL Wed11AM 1:46.42[swi4: clock sio] lomac/equal(low-high),partition/0 root 17 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[swi3: vm] lomac/equal(low-high),partition/0 root 18 0.0 0.0 0 8 ?? DL Wed11AM 0:10.05[yarrow] lomac/equal(low-high),partition/0 root 19 0.0 0.0 0 8 ?? WL Wed11AM 0:01.40[swi6: Giant taskq] lomac/equal(low-high),partition/0 root 20 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[swi6: task queue] lomac/equal(low-high),partition/0 root 21 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[swi2: cambio] lomac/equal(low-high),partition/0 root 22 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[swi5: +] lomac/equal(low-high),partition/0 root 23 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[thread taskq] lomac/equal(low-high),partition/0 root 24 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq9: acpi0] lomac/equal(low-high),partition/0 root 25 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[em0 taskq] lomac/equal(low-high),partition/0 root 26 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[em1 taskq] lomac/equal(low-high),partition/0 root 27 0.0 0.0 0 8 ?? WL Wed11AM 0:01.70[irq17: aac0] lomac/equal(low-high),partition/0 root 28 0.0 0.0 0 8 ?? DL Wed11AM 0:00.02[aac0aif] lomac/equal(low-high),partition/0 root 29 0.0 0.0 0 8 ?? WL Wed11AM 0:28.00[irq258: bce0] lomac/equal(low-high),partition/0 root 30 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq259: bce1] lomac/equal(low-high),partition/0 root 31 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq23: uhci0 uhci+] lomac/equal(low-high),partition/0 root 32 0.0 0.0 0 8 ?? DL Wed11AM 0:00.04[usb0] lomac/equal(low-high),partition/0 root 33 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[usbtask-hc] lomac/equal(low-high),partition/0 root 34 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[usbtask-dr] lomac/equal(low-high),partition/0 root 35 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq22: uhci1 uhci3] lomac/equal(low-high),partition/0 root 36 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[usb1] lomac/equal(low-high),partition/0 root 37 0.0 0.0 0 8 ?? DL Wed11AM 0:00.01[usb2] lomac/equal(low-high),partition/0 root 38 0.0 0.0 0 8 ?? DL Wed11AM 0:00.01[usb3] lomac/equal(low-high),partition/0 root 39 0.0 0.0 0 8 ?? DL Wed11AM 0:00.01[usb4] lomac/equal(low-high),partition/0 root 40 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq14: ata0] lomac/equal(low-high),partition/0 root 41 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq15: ata1] lomac/equal(low-high),partition/0 root 42 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[irq1: atkbd0] lomac/equal(low-high),partition/0 root 43 0.0 0.0 0 8 ?? WL Wed11AM 0:00.00[swi0: sio] lomac/equal(low-high),partition/0 root 44 0.0 0.0 0 16 ?? DL Wed11AM 0:00.00[sctp_iterator] lomac/equal(low-high),partition/0 root 45 0.0 0.0 0 8 ?? DL Wed11AM 0:00.05[pagedaemon] lomac/equal(low-high),partition/0 root 46 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[vmdaemon] lomac/equal(low-high),partition/0 root 47 0.0 0.0 0 8 ?? DL Wed11AM 0:00.00[pagezero] lomac/equal(low-high),partition/0 root 48 0.0 0.0 0 8 ?? DL Wed11AM 0:00.27[bufdaemon] lomac/equal(low-high),partition/0 root 49 0.0 0.0 0 8 ?? DL Wed11AM 0:00.39[vnlru] lomac/equal(low-high),partition/0 root 50 0.0 0.0 0 8 ?? DL Wed11AM 1:09.13[syncer] lomac/equal(low-high),partition/0 root 51 0.0 0.0 0 8 ?? DL Wed11AM 0:00.48[softdepflush] lomac/high(low-high),partition/0 root 648 0.0 0.0 3240 1008 ?? Ss Wed11AM 0: 00.00 /usr/sbin/moused -p /dev/ums0 -t auto -I /va lomac/high(low-high),partition/0 root 700 0.0 0.0 1888 524 ?? Ss Wed11AM 0: 00.00 /sbin/devd lomac/high(low-high),partition/0 root 769 0.0 0.0 3156 1192 ?? Ss Wed11AM 0: 00.13 /usr/sbin/syslogd -s lomac/high(low-high),partition/0 root 883 0.0 0.1 5592 3056 ?? Ss Wed11AM 0: 00.00 /usr/sbin/sshd lomac/high(low-high),partition/0 root 890 0.0 0.0 3184 1260 ?? Ss Wed11AM 0: 00.17 /usr/sbin/cron -s lomac/high(low-high),partition/0 root 946 0.0 0.1 8360 3916 ?? Ss Wed11AM 0: 00.03 sshd: grede [priv] (sshd) lomac/high(low-high),partition/0 grede 949 0.0 0.1 8360 3932 ?? S Wed11AM 0: 00.07 sshd: grede@ttyp0 (sshd) lomac/high(low-high),partition/0 root 938 0.0 0.0 3156 1076 v0 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv0 lomac/high(low-high),partition/0 root 939 0.0 0.0 3156 1076 v1 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv1 lomac/high(low-high),partition/0 root 940 0.0 0.0 3156 1076 v2 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv2 lomac/high(low-high),partition/0 root 941 0.0 0.0 3156 1076 v3 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv3 lomac/high(low-high),partition/0 root 942 0.0 0.0 3156 1076 v4 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv4 lomac/high(low-high),partition/0 root 943 0.0 0.0 3156 1076 v5 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv5 lomac/high(low-high),partition/0 root 944 0.0 0.0 3156 1076 v6 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv6 lomac/high(low-high),partition/0 root 945 0.0 0.0 3156 1076 v7 Ss+ Wed11AM 0:00.00 /usr/libexec/getty Pc ttyv7 lomac/high(low-high),partition/0 grede 950 0.0 0.1 5444 2920 p0 Ss Wed11AM 0:00.01 -tcsh (tcsh) lomac/high(low-high),partition/0 root 952 0.0 0.1 3592 1572 p0 S Wed11AM 0: 00.01 su - lomac/high(low-high),partition/0 root 953 0.0 0.1 5444 3212 p0 S Wed11AM 0: 00.05 -su (csh) lomac/high(low-high),partition/0 root 4522 0.0 0.0 3220 1052 p0 R+ 2:57PM 0: 00.00 ps -Zaxu ---------------------------- Apache teste# /usr/sbin/setpmac lomac/low\(low-low\),partition/1 apachectl start teste# /usr/sbin/setpmac lomac/low\(low-low\),partition/1 csh teste# ps -Zaxu teste# getpmac lomac/low(low-low),partition/1 LABEL USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND lomac/low(low-low),partition/1 www 4529 5.7 0.5 28092 17196 ?? S 2:58PM 0: 00.00 /usr/local/sbin/httpd lomac/low(low-low),partition/1 www 4530 5.7 0.5 28092 17196 ?? S 2:58PM 0: 00.00 /usr/local/sbin/httpd lomac/low(low-low),partition/1 www 4531 5.7 0.5 28092 17196 ?? S 2:58PM 0: 00.00 /usr/local/sbin/httpd lomac/low(low-low),partition/1 www 4532 5.7 0.5 28092 17196 ?? S 2:58PM 0: 00.00 /usr/local/sbin/httpd lomac/low(low-low),partition/1 www 4533 5.7 0.5 28092 17196 ?? S 2:58PM 0: 00.00 /usr/local/sbin/httpd lomac/low(low-low),partition/1 root 4528 5.0 0.5 28052 17152 ?? Ss 2:58PM 0: 00.52 /usr/local/sbin/httpd lomac/low(low-low),partition/1 root 4534 0.0 0.1 5444 3000 p0 S 2:58PM 0: 00.01 csh lomac/low(low-low),partition/1 root 4538 0.0 0.0 3220 1000 p0 R+ 2:59PM 0: 00.00 ps -Zaxu Thanks by any help... Ricardo A. Reis