From owner-p4-projects Wed Jul 31 8:27: 0 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 264F137B407; Wed, 31 Jul 2002 08:26:47 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B5BF37B400 for ; Wed, 31 Jul 2002 08:26:47 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0E2143E31 for ; Wed, 31 Jul 2002 08:26:46 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6VFQkJU084432 for ; Wed, 31 Jul 2002 08:26:46 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6VFQk4x084429 for perforce@freebsd.org; Wed, 31 Jul 2002 08:26:46 -0700 (PDT) Date: Wed, 31 Jul 2002 08:26:46 -0700 (PDT) Message-Id: <200207311526.g6VFQk4x084429@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15311 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15311 Change 15311 by rwatson@rwatson_tislabs on 2002/07/31 08:26:17 Update MAC notes. Affected files ... .. //depot/projects/trustedbsd/mac/MACREADME#20 edit Differences ... ==== //depot/projects/trustedbsd/mac/MACREADME#20 (text+ko) ==== @@ -22,21 +22,16 @@ others may be loaded when needed before or after the boot. The following loader.conf lines are currently relevant: -babyaudit_load="NO" # Baby auditing module mac_biba_load="NO" # Biba MAC policy (boot only) mac_bsdextended_load="NO" # BSD/extended MAC policy mac_ifoff="NO" # Interface silencing policy mac_mls_load="NO" # MLS MAC policy (boot only) mac_none_load="NO" # Null MAC policy +mac_partition_load="NO" # Partition MAC policy mac_seeotheruids_load="NO" # UID visbility MAC policy mac_te_load="NO" # Type Enforcement policy (boot only) - -To include support for SEBSD, a port of the NSA FLASK and SELinux TE -implementations, add the following kernel option: +sebsd_load="NO" # Port of SELinux/FLASK (boot only) -options SEBSD - -This will be available as a module also in due course. Kernel options known not to work with MAC ----------------------------------------- @@ -54,6 +49,7 @@ Using those options may result in incorrect security behavior, memory corruption, or a kernel panic. They do not work with MAC at this time. +They should work correctly using GENERIC. Kernel SLIP support may not work correctly, as outgoing mbufs are not labeled due to lack of a label to apply. Probably, the label should be @@ -82,13 +78,15 @@ The NFS server code in many places currently ignores MAC protection. This may or may not be the best behavior, as in the past NFS could always override discretionary access control due to running in the -kernel as root all the time. CODA support is probably in the same +kernel as root all the time. However, because NFS sometimes invokes +higher level VFS functionality, such as namei(), MAC protections +may be inconsistently enforced. CODA support is probably in the same condition. -Currently, non-FreeBSD ABIs are not supported. This includes the Linux -compatibility layer, and other related components (SCO, et al). They -will likely not correctly check MAC operations in all cases that the -normal FreeBSD ABI code does. +Currently, non-FreeBSD ABIs are not fully supported. This includes +the Linux compatibility layer, and other related components (SCO, et al). +They will likely not correctly check MAC operations in all cases that the +normal FreeBSD ABI code does; the status of the ABIs is improving. Client-side NFS locking is known to Do The Wrong Thing, for a variety of reasons. Unlike the other components of the kernel NFS client, @@ -118,7 +116,7 @@ Don't use netboot without setting the loader.conf setting to indicate to Biba which interface is trusted. Otherwise, the NFS client will -fail as it cannot send packets via the interface. +fail as it cannot send packets via the interface. (This may be broken). Things that look like they should work but don't ------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message