Date: Thu, 24 Oct 2002 15:18:49 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Brian Feldman <green@FreeBSD.org> Cc: Perforce Change Reviews <perforce@FreeBSD.org> Subject: Re: PERFORCE change 20065 for review Message-ID: <Pine.NEB.3.96L.1021024151822.33116C-100000@fledge.watson.org> In-Reply-To: <200210241901.g9OJ1EcC021112@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
An interesting question will be whether our process-based labels provide close enough behavior to traditional LOMAC "process group" behavior for pipeline downgrades. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Thu, 24 Oct 2002, Brian Feldman wrote: > http://perforce.freebsd.org/chv.cgi?CH=20065 > > Change 20065 by green@green_laptop_2 on 2002/10/24 12:00:22 > > Revocation being enabled is pretty important to LOMAC operation, > so enable it here by default. Still leave the policy itself > disabled. > > Affected files ... > > .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#17 edit > > Differences ... > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#17 (text+ko) ==== > > @@ -118,7 +118,7 @@ > &ptys_equal, 0, "Label pty devices as lomac/equal on create"); > TUNABLE_INT("security.mac.lomac.ptys_equal", &ptys_equal); > > -static int revocation_enabled = 0; > +static int revocation_enabled = 1; > SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RW, > &revocation_enabled, 0, "Revoke access to objects on relabel"); > TUNABLE_INT("security.mac.lomac.revocation_enabled", &revocation_enabled); > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1021024151822.33116C-100000>