Date: Fri, 30 Jan 2004 10:31:41 -0800 (PST) From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 46207 for review Message-ID: <200401301831.i0UIVfpF030914@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=46207 Change 46207 by areisse@areisse_ibook on 2004/01/30 10:30:40 Document build procedure for init and bootloader, and configuring the bootloader to load the sebsd policy. Affected files ... .. //depot/projects/trustedbsd/sedarwin/bootstrap_instructions.txt#24 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/bootstrap_instructions.txt#24 (text+ko) ==== @@ -162,6 +162,30 @@ make ; sudo make install cd .. +Step 9.1: Build and install modified MiG program + cd apsl/bootstrap_cmds/migcom.tproj + make ; sudo make install + cd ../../.. + + This mig program is compatible with old kernels as well, as long as the + new features are not used. + +Step 9.2: Build modified mach_init + cd apsl/system_cmds/mach_init.tproj + make ; sudo make install + cd ../../.. + +Step 9.3: Build modified bootloader + The modified bootloader is necessary to read the security policy before + the root filesystem is available. It might work with other kernels as + well. + BEFORE installing this bootloader, make sure you have a working backup + partition (that boots) on the same machine. + cd apsl/BootX + chmod u+w bootx.tproj/bootinfo.hdr + make + sudo cp bootx.bootinfo /System/Library/CoreServices/BootX + Step 10: Build, Install wslogin and WindowServer wrapper In order to allow users to select roles during GUI login, you must @@ -190,22 +214,16 @@ Step 11: Build SEDarwin Sample Policy - We provide a minimal sample policy; due to current limitations in loading the - policy at boot-time, we link the sample policy directly into the Darwin kernel - (yes, this is just temporary!). When the policy is built, you end up with - a policy.h file that will get copied into the XNU tree for the kernel build. - Our sample policy file ships with three users: root, andrew, and rwatson. Chances are, you'll want to add a line for your own user based on one of those lines. cd policy - make ; make install + make + sudo cp policy.16 / + sudo nvram load_sebsd_policy=policy.16 cd .. - Until we have this fixed, remember that when you change the policy, you need - to re-install and remake the XNU kernel. - Step 12: Build XNU NOTE: If you skipped the long and tedious elements of Step 2 above, @@ -306,10 +324,10 @@ /sbin/fsck -y /sbin/mount -uw / - Now set the label on the WindowServer binary so that it can transition - during login: + Now set the label on various binaries so they can transition + during system startup: - setfmac sebsd/system_u:object_r:login_exec_t \ - /System/Library/CoreServices/RealWindowServer + cd policy; make relabel - Missing this step will result in login attempts failing. + Missing this step will result in login attempts failing, or + the entire system not working if enforcing mode is enabled.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401301831.i0UIVfpF030914>