From owner-freebsd-security@FreeBSD.ORG Tue Feb 11 17:27:31 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E4E7A6EB for ; Tue, 11 Feb 2014 17:27:31 +0000 (UTC) Received: from rot13.romab.com (rot13.romab.com [IPv6:2a02:470:84:101::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9C52A1978 for ; Tue, 11 Feb 2014 17:27:31 +0000 (UTC) Received: by rot13.romab.com (Postfix, from userid 1004) id CFB288F4CAC; Tue, 11 Feb 2014 18:27:25 +0100 (CET) Received: from rot13.romab.com (idea.romab.com [192.195.142.12]) by localhost.romab.com (Postfix) with ESMTP id 6B0888F4CAA for ; Tue, 11 Feb 2014 18:27:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on idea.romab.com X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Received: from stiletto.u88.romab.com (rot13.romab.com [192.195.142.6]) by rot13.romab.com (Postfix) with ESMTP for ; Tue, 11 Feb 2014 18:27:25 +0100 (CET) Message-ID: <52FA5D7D.9010402@romab.com> Date: Tue, 11 Feb 2014 18:27:25 +0100 From: Andreas Jonsson User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Proposal: tunable default/init label for MAC policies References: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> In-Reply-To: <5C244CC2-A0D5-43B9-BA30-6B54E02F1C0F@sarenet.es> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 17:27:32 -0000 On 2014-02-11 11:28, Borja Marcos wrote: > A tunable like security.mac.{mls,biba...}.default_label or, maybe, > more appropiately, security.{mac,biba...}.init_lable would allow the > administrator to, for example, limit the usage of the MAC policies to > descendants of certain processes. In our case, with most of the OS > having the usual Unix security requirements, except for the > intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels > of {mls,biba}/equal would be more than enough, applying the necessary > labels to the untrusted processes. > > What do you think? I am sure this makes the MAC policies much more > useful, and much easier to integrate with the typical Unix software > without unnecessary incompatibilities, and of course not just for our > particular scenario. > > Borja. Hi list, I think that being able to set the MAC process label from rc.conf would be a better and more flexible way of moving forward, so that modifying rc-scripts everywhere would be unnecessary. Thinking about how to handle this in the contexts of jails would also be nice. Currently using jail_poststart_exec to jexec with the correct label is a bit of a pain. Perhaps there is a better way that i am unaware of? br andreas