From owner-freebsd-security@FreeBSD.ORG Wed Feb 12 11:50:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BAABAED7 for ; Wed, 12 Feb 2014 11:50:44 +0000 (UTC) Received: from cu01176b.smtpx.saremail.com (cu01176b.smtpx.saremail.com [195.16.151.151]) by mx1.freebsd.org (Postfix) with ESMTP id 7A94D1893 for ; Wed, 12 Feb 2014 11:50:44 +0000 (UTC) Received: from [172.16.2.2] (izaro.sarenet.es [192.148.167.11]) by proxypop04.sare.net (Postfix) with ESMTPSA id 4D5689DCE91; Wed, 12 Feb 2014 12:50:42 +0100 (CET) Subject: Re: Proposal: tunable default/init label for MAC policies Mime-Version: 1.0 (Apple Message framework v1283) Content-Type: text/plain; charset=us-ascii From: Borja Marcos In-Reply-To: <52FA5D7D.9010402@romab.com> Date: Wed, 12 Feb 2014 12:50:40 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <43E2DE29-2349-4734-9E90-081EA5373406@sarenet.es> References: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> <52FA5D7D.9010402@romab.com> To: Andreas Jonsson X-Mailer: Apple Mail (2.1283) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 11:50:44 -0000 On Feb 11, 2014, at 6:27 PM, Andreas Jonsson wrote: > Hi list, > I think that being able to set the MAC process label from rc.conf = would > be a better and more flexible way of moving forward, so that modifying > rc-scripts everywhere would be unnecessary. For a "default" label, I think the right place is a tunable which can = only be changed from loader.conf, and can't be changed while the system is running. Something different, of course, would be the option to assign a certain = label to a service, with a variable such as "apache24_maclabel" set in = rc.conf. That would be great as well, but it's an entirely different issue imho. ;) Borja.