From owner-freebsd-security@FreeBSD.ORG Sat Feb 26 15:05:36 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEACF16A4CE for ; Sat, 26 Feb 2005 15:05:36 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C35C343D58 for ; Sat, 26 Feb 2005 15:05:35 +0000 (GMT) (envelope-from Mathias.Picker@gmx.de) Received: (qmail invoked by alias); 26 Feb 2005 15:05:34 -0000 Received: from strongdesk.com (EHLO [213.239.214.227]) (213.239.214.227) by mail.gmx.net (mp020) with SMTP; 26 Feb 2005 16:05:34 +0100 X-Authenticated: #23891974 Message-ID: <42209060.7040202@gmx.de> Date: Sat, 26 Feb 2005 16:06:08 +0100 From: Mathias Picker User-Agent: Mozilla Thunderbird 1.0 (X11/20050114) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: mac questions: stopping root from reading /home && mac_biba stops clean shutdown X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 15:05:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just try to understand the concepts and possiblities behind the mac framework. After days of puzzling I found one puzzling behaviour and still have one immediate question (this is on 5-stable) - - when I enable mac_biba, set root to biba/equal (or any value, actually), and do a setfmac -R biba/equal / I expect biba to be activated without any change to the system behaviour. This seems to be correct, safe for one detail: the system does not shutdown cleanly: it syncs, but never gets to power down or reboot and the disks are not marked clean, so fsck run on next boot. Is this an expected behaviour?? - - What is the easiest way to block root from reading /home once the system is in multiuser.... Thanks for any hints, tips, links to background info about biba + mls Mathias P.S.: bsdextended does not block root from anything, right?? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCIJBgSnKsATEFgwERAk+TAJ9tpmGVlY7W+OcIxj9q4vGqfTTkkgCfTWmK 0/myndlVB1DTfXAFHkxht5g= =vIgR -----END PGP SIGNATURE-----