From owner-freebsd-security@FreeBSD.ORG Wed Feb 6 16:54:13 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9CBAFB74 for ; Wed, 6 Feb 2013 16:54:13 +0000 (UTC) (envelope-from andreas@romab.com) Received: from rot13.romab.com (rot13.romab.com [213.115.13.4]) by mx1.freebsd.org (Postfix) with ESMTP id 534A2904 for ; Wed, 6 Feb 2013 16:54:13 +0000 (UTC) Received: by rot13.romab.com (Postfix, from userid 1004) id 41BCB849; Wed, 6 Feb 2013 17:48:23 +0100 (CET) Received: from stiletto.u88.romab.com (localhost [127.0.0.1]) by rot13.romab.com (Postfix) with ESMTP id 2EE74847 for ; Wed, 6 Feb 2013 17:48:23 +0100 (CET) Message-ID: <5112895E.5050506@romab.com> Date: Wed, 06 Feb 2013 17:48:30 +0100 From: Andreas Jonsson User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: FreeBSD 9.1 MAC Multilabel on nullfs X-Enigmail-Version: 1.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Feb 2013 16:54:13 -0000 Hi List! Don't see much discussion about MAC here, time to change that! :-) Currently trying to set up a service jail, according to instructions in the handbook[1]. The problem I'm facing is that nullfs does not seem to support multilabeled filesystems, or am i missing something? ls -lZ /usr/js/testjail/var/run/test -rw-r--r-- 1 root wheel biba/equal 0 Feb 6 17:15 /usr/js/testjail/var/run/test Nullfs-mounting it inside the jail: ls -lZ /usr/j/testjail/s/var/run/test -rw-r--r-- 1 root wheel biba/high 0 Feb 6 17:15 /usr/j/testjail/s/var/run/test Currently, it looks like this: /usr/j/mroot on /usr/j/testjail (nullfs, local, nosuid, read-only) /usr/js/testjail on /usr/j/testjail/s (nullfs, local, nosuid) devfs on /usr/j/testjail/dev (devfs, local, multilabel) >From inside the jail, (where this directory is mounted), the following maclabel appears to be the following instead: # ls -lZ /var/run/test -rw-r--r-- 1 root wheel biba/high 0 Feb 6 16:15 /var/run/test Does the list have any suggestions for workarounds? One alternative would be to create a jail without shared root filesystems and skip nullfs, but perhaps there are other tricks i am not aware of? BR Andreas [1]. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html