From owner-p4-projects  Thu Oct 24 12:19:29 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id BE86C37B404; Thu, 24 Oct 2002 12:19:24 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4F24237B401; Thu, 24 Oct 2002 12:19:24 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 094F643E65; Thu, 24 Oct 2002 12:19:22 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.4/8.12.4) with SMTP id g9OJInOo041635;
	Thu, 24 Oct 2002 15:18:49 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Thu, 24 Oct 2002 15:18:49 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Brian Feldman <green@FreeBSD.org>
Cc: Perforce Change Reviews <perforce@FreeBSD.org>
Subject: Re: PERFORCE change 20065 for review
In-Reply-To: <200210241901.g9OJ1EcC021112@repoman.freebsd.org>
Message-ID: <Pine.NEB.3.96L.1021024151822.33116C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

An interesting question will be whether our process-based labels provide
close enough behavior to traditional LOMAC "process group" behavior for
pipeline downgrades.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories

On Thu, 24 Oct 2002, Brian Feldman wrote:

> http://perforce.freebsd.org/chv.cgi?CH=20065
> 
> Change 20065 by green@green_laptop_2 on 2002/10/24 12:00:22
> 
> 	Revocation being enabled is pretty important to LOMAC operation,
> 	so enable it here by default.  Still leave the policy itself
> 	disabled.
> 
> Affected files ...
> 
> .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#17 edit
> 
> Differences ...
> 
> ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#17 (text+ko) ====
> 
> @@ -118,7 +118,7 @@
>      &ptys_equal, 0, "Label pty devices as lomac/equal on create");
>  TUNABLE_INT("security.mac.lomac.ptys_equal", &ptys_equal);
>  
> -static int	revocation_enabled = 0;
> +static int	revocation_enabled = 1;
>  SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RW,
>      &revocation_enabled, 0, "Revoke access to objects on relabel");
>  TUNABLE_INT("security.mac.lomac.revocation_enabled", &revocation_enabled);
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message