Date: Thu, 1 Dec 2005 22:04:07 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 87616 for review Message-ID: <200512012204.jB1M47rh086537@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=87616 Change 87616 by millert@millert_g4tower on 2005/12/01 22:03:55 Attempt to update to reality after wslogin -> LoginWindow plugin changes. apiabi.txt needs more work. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/docs/apiabi.txt#3 edit .. //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/docs/apiabi.txt#3 (text+ko) ==== @@ -116,6 +116,9 @@ int getlcid(); int setlcid(); +int __mac_get_lcid(); +int __mac_get_lctx(); +int __mac_set_lctx(); New System Controls - MAC Framework @@ -362,13 +365,33 @@ Set the MAC label of the current process, then execute a command. + New Command Line Utilities - login contexts + +lcs(1) + +Show information about existing login contexts. + +getlcmac(8) + +Print login context related MAC labels. + +setlcmac(8) + +Change the MAC login context label. + New Command Line Utilities - SEDarwin checkpolicy(8) + +Check a policy for correctness and convert to binary format. + loadpolicy(8) -newrole(8) -relabel_gui -wslogin + +XXX - not yet supported. + +sebsd_newrole(8) + +Run a shell with a new role. Modifications to Existing System Services ==== //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#2 (text+ko) ==== @@ -2,9 +2,9 @@ evolves. -Step 1: Mac OS X Panther 10.3.3 +Step 1: Mac OS X Panther 10.3.8 - Install Mac OS X 10.3.3 using the directions found in system-setup.txt. + Install Mac OS X 10.3.8 using the directions found in system-setup.txt. If working within the McAfee Research development environment, install Perforce and configure the Perforce client using the directions found @@ -54,7 +54,7 @@ BUILD_MODULES ?= sedarwin ipctrace mactest mac_mls mac_none mac_stub \ stacktrace - INSTALL_MODULES ?= mac_mls + INSTALL_MODULES ?= sedarwin If modules are built but not installed, you can install them later by extracting the *.kext.tar tarfile from the module source directory @@ -90,7 +90,7 @@ including kernel, libraries, program binaries, and policy modules, run the following command from the root of the source tree: - make + $ make Step 5: Prepare distribution directory @@ -99,7 +99,7 @@ temporary distribution directory, run the following command from the top level of the source tree: - make install + $ make install Step 6: Create system upgrade tarfile @@ -108,14 +108,14 @@ binaries, run the following command from the top level of the source tree: - make dist + $ make dist This will create a compressed tarfile from the temporary distribution directory. The file will be called, "sedarwin.tgz" and it will be created in the root of the source tree. This tarfile can be used to install on the current machine, or any other - appropriately updated 10.3.3 system. The following steps presume that + appropriately updated 10.3.8 system. The following steps presume that you have copied the tar file to the target machine. @@ -137,8 +137,8 @@ the older modules will be incompatible. Remove the appropriate KEXT bundles from /System/Library/Extensions. For example: - sudo rm -rf /System/Library/Extensions/sedarwin.kext - sudo rm -rf /System/Library/Extensions/mac_test.kext + $ sudo rm -rf /System/Library/Extensions/sedarwin.kext + $ sudo rm -rf /System/Library/Extensions/mac_test.kext Step 8: Backup files @@ -153,36 +153,56 @@ Extract the distribution tarfile from the root of the target machine: - cd / - sudo gnutar xvzf sedarwin.tgz + $ cd / + $ sudo tar zxf sedarwin.tgz Note, there may be some remaining issues with the way in which the boot loader has been replaced. To be safe, it is best to run the bless command to make certain the partition will still be bootable: - sudo bless -folder /System/Library/CoreServices \ + $ sudo bless -folder /System/Library/CoreServices \ -bootinfo /usr/standalone/ppc/bootx.bootinfo Also note that if bless is being used to mark a partition that is different from the current partition that the appropriate /Volume/<name> path should be prepended each filename in the above command, and the - -setBoot option should also be added. + "-setBoot" option should also be added. + + +Step 10: Enable and Configure MAC.loginPlugin + + The MAC.loginPlugin must be enabled. After a new install the maclogin + command must be run to prepare the system for using the MAC.loginPlugin: + + $ sudo /usr/bin/maclogin + [follow instructions] + + After this is performed, further invocations of the maclogin script + allow the MAC.loginPlugin to be enabled and disabled. SEDarwin requires + that the MAC.loginPlugin to be enabled: + + $ sudo /usr/bin/maclogin enable + + Copy /etc/MAClogin.conf.sample to /etc/MAClogin.conf: + + $ sudo cp /etc/MAClogin.conf.sample /etc/MAClogin.conf + + The default values are correct for SEDarwin. -Step 10: Backup and Replace the WindowServer (SEDarwin only) +Step 11: Update PAM configuration - The distribution includes a shell script to replace Apple's Login Window - application with a wrapper that modifies the login process. Run the - script: + Add the following line: - sudo /etc/sedarwin/install-windowserver.sh + session required pam_lctx.so + at the end of the /etc/pam.d/login and /etc/pam.d/sshd files. -Step 11(a): Create Extended Attribute File (SEDarwin only) +Step 12(a): Create Extended Attribute File (SEDarwin only) The distribution includes a shell script that creates an extended attribute backing file for the SEDarwin policy module. Run the script: - sudo /etc/sedarwin/create-extattr.sh + $ sudo /etc/sedarwin/create-extattr.sh This will allocate storage space for MAC labels on the root file system. You may wish to run similar commands on other file systems, but it is @@ -195,49 +215,58 @@ 256 /Volumes/Spare/.attribute/system/sebsd -Step 11(b): Create Extended Attribute File (MLS only) +Step 12(b): Create Extended Attribute File (MLS only) Run the following two commands to allocate storage space for MLS labels on the root file system. - sudo mkdir -p /.attribute/system - sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls + $ sudo mkdir -p /.attribute/system + $ sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls -Step 12: Configure Policy path (SEDarwin only) +Step 13: Configure Policy path (SEDarwin only) The system boot loader needs to know where the SEDarwin policy file is located; at boot time, it reads the location from the system firmware. - Set the location in the firmware with the following command: + Set the location in the firmware with the following commands: - sudo nvram load_sebsd_policy=policy.16 + $ sudo nvram load_sebsd_policy=policy.16 + $ sudo nvram load_sebsd_migscs=sebsd_migscs Our sample policy file, users, ships with some predefined users. - Chances are, you'll want to add entries for your own user accounts - based on one of the existing entries. The policy sources were - installed into /etc/sedarwin/policy; make changes there, rebuild, - and install the binary policy file: + You should add entries for your own user accounts based on one + of the existing entries. The policy sources were installed into + /etc/sedarwin/policy; make changes there, rebuild, and install + the binary policy file: - cd /etc/sedarwin/policy + $ cd /etc/sedarwin/policy [edit as root] - sudo make - sudo make install + $ sudo make + $ sudo make install + + This step must be taken even if you make no changes to the policy + files. + + NOTE: If a user logs in who is not listed in the users file, the + contents of /etc/sedarwin/failsafe_context will be used as the + context for the user. If that file does not exist, the unlisted + user will be unable to login. -Step 13: Reboot in Single User Mode (SEDarwin only) +Step 14: Reboot in Single User Mode (SEDarwin only) At this point, you should now have a new Darwin kernel, support libraries, command line tools, and configuration files installed. Reboot to single-user mode by holding down Command-S during the boot. Check the file system and mount the root file system writable: - /sbin/fsck -y - /sbin/mount -uw / + $ /sbin/fsck -y + $ /sbin/mount -uw / Now set the label on various binaries so they can transition during system startup: - sudo /etc/sedarwin/sebsd-relabel.sh + $ sudo /etc/sedarwin/sebsd-relabel.sh Missing this step will result in the login window failing to start, login attempts failing, or the entire system not working if enforcing @@ -249,7 +278,7 @@ setfmac: traversing /usr/local/bin/*: No such file or directory -Step 14: Reboot +Step 15: Reboot A reboot is required in order for the extended attributes to be recognized by the system. @@ -258,8 +287,9 @@ 'reboot' from the console. Otherwise, restart the machine normally. -Step 15: Verify System Functionality +Step 16: Verify System Functionality + When you log in to the system After booting and logging into the system, verify that you have booted to the correct kernel by running 'uname -a'.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512012204.jB1M47rh086537>