From owner-p4-projects@FreeBSD.ORG Tue May 16 20:40:50 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D8F1816A658; Tue, 16 May 2006 20:40:49 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B7BC16A63F for ; Tue, 16 May 2006 20:40:49 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FF7743D45 for ; Tue, 16 May 2006 20:40:49 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k4GKeWGL085445 for ; Tue, 16 May 2006 20:40:32 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k4GKeVgo085442 for perforce@freebsd.org; Tue, 16 May 2006 20:40:31 GMT (envelope-from millert@freebsd.org) Date: Tue, 16 May 2006 20:40:31 GMT Message-Id: <200605162040.k4GKeVgo085442@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 97297 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 20:40:50 -0000 http://perforce.freebsd.org/chv.cgi?CH=97297 Change 97297 by millert@millert_p4 on 2006/05/16 20:40:07 Update docs and add bootstrap procedure for installing SEBSD over stock FreeBSD. Affected files ... .. //depot/projects/trustedbsd/sebsd/Makefile#14 edit .. //depot/projects/trustedbsd/sebsd/SEBSD-Installation.txt#4 edit .. //depot/projects/trustedbsd/sebsd/SEBSD.txt#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/support/loader.conf.additions#1 add Differences ... ==== //depot/projects/trustedbsd/sebsd/Makefile#14 (text+ko) ==== @@ -304,3 +304,20 @@ @echo " (started ${STARTTIME})" @echo "--------------------------------------------------------------" .endif + +# Bootstrapping of SEBSD-specific bits +SEBSD_BOOTSTRAP_CHECK!= grep sebsd_bootstrap /boot/loader.conf +SEBSD_POLICYTYPE!= grep "TYPE" ${.CURDIR}/contrib/sebsd/refpolicy/build.conf | cut -d" " -f3 +sebsd_bootstrap: +.if exists(${.CURDIR}/contrib/sebsd) + @echo "Installing SEBSD policy" + (cd ${.CURDIR}/contrib/sebsd/refpolicy; gmake install-src) + (cd ${DESTDIR}/etc/security/sebsd/${SEBSD_POLICYTYPE}/src/policy; gmake install) +.if empty (BOOTSTRAP_CHECK) + @echo "Making modifications to /boot/loader.conf" + (cat ${.CURDIR}/contrib/sebsd/support/loader.conf.additions | sed s/\#SEBSD_POLICYTYPE\#/${SEBSD_POLICYTYPE}/ >> /boot/loader.conf) +.endif + + +.endif + ==== //depot/projects/trustedbsd/sebsd/SEBSD-Installation.txt#4 (text+ko) ==== @@ -2,109 +2,123 @@ SEBSD ships as a kernel loadable module that loads into a FreeBSD 6.0 kernel supporting the TrustedBSD MAC framework -(http://www.trustedbsd.org/). The SEBSD installation CD contains a -modified FreeBSD 6.0 distribution and a MAC kernel. The installation -process installs the FreeBSD operating system, including full source -code and MAC-aware programs. +(http://www.trustedbsd.org/). The SEBSD installation tarball contains a +modified FreeBSD 7.0 source tree. These instructions assume some familiarity with the FreeBSD operating -system installation, boot loader, kernel configuration, etc. The -sysinstall installation application used by SEBSD is nearly identical -to the one used by the FreeBSD project. A custom release was built to -install the SEBSD policy source files and to build a kernel with -TrustedBSD MAC Framework support. For more detailed information on -the FreeBSD operating system or the installation process, refer to the -FreeBSD handbook available at the project website: http://www.freebsd.org/. +system installation, boot loader, kernel configuration, use of the ports +collection etc. + +1. Install a FreeBSD 7.0 snapshot from CD. Our example system used + FreeBSD-7.0-SNAP013 from ftp.freebsd.org. For more information on + installing FreeBSD, see the FreeBSD Handbook at + http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ + Note: it is not required that you install any system source with your + FreeBSD 7.0 installation. The SEBSD source tarball contains an entire + set of system sources. You may want to install the FreeBSD ports + collection as there are some requirements for extra software not + included in the default FreeBSD installation. + +2. Install ports required for SEBSD. Since SEBSD uses policy ported from + SELinux, some additional tools are required for SEBSD to install and + function properly. You will need to install the following ports: + + - devel/gmake + - lang/gawk + - lang/python + + There are 2 methods of installing these ports. First is compilation + from the ports collection. This option is more reliable, but takes more + time due to compilation. Here is an example for gmake: + + # cd /usr/ports/devel/gmake + # make install + + The second option is installation of a pre-compiled binary package. + This option can be faster, but there is no guarantee that a binary + package of the proper version will be available. Here is an example + of this installation type for gmake. -1. Boot the FreeBSD 6.0-SEBSD installation CD; this CD will install - the complete operating system, including kernels, user - applications, and complete source code. A series of menus will - prompt the user how to proceed. + # pkg_add -r gmake - a. At the main menu, select an installation method, - typically, the standard installation is adequate. The - remainder of these instructions assume the standard - installation option was selected. +3. Install SEBSD sources. After downloading the sources from + http://www.trustedbsd.org/sebsd.html, untar them into /usr/src. - b. The next menu displays the disk partition manager. As - long as the installation machine will be dedicated to - SEBSD, allow the partition manager to use the entire disk - by selecting 'A'. Select 'Q' to exit the partition - manager. The installation program may print a warning - that this creates a dedicated machine. It will proceed to - ask which boot manager to install; select 'BootMgr' to - install the normal FreeBSD boot manager on this hard disk. + # cd /usr/src + # tar -zxf /path/to/sebsd-.tar.gz - c. The next menu will label the disk to create swap space and - individual file systems. Selecting 'A' will use the - default values. Select 'Q' to proceed to the next menu. +4. Build the SEBSD system. This process is similar to the canonical + building of world detailed in the FreeBSD Handbook, with a few + additional steps, and some re-arranging of the typical order. - d. The next menu selects the distributions to install. The - 'Developer' option is recommended. X Window support is - not included on this installation CD, and may be installed - later. Likewise, the optional ports collection is not - include on the SEBSD installation CD. + a. Build the system from sources and bootstrap SEBSD-specific + portions of the system. - e. On the next screen, Select CD/DVD from the installation - media menu. + # cd /usr/src + # make buildworld + # make buildkernel KERNCONF=MAC + # make installworld + # make sebsd_bootstrap + # make installkernel KERNCONF=MAC INSTKERNNAME=MAC - f. Confirm installation. WARNING: With the configuration - recommended in these instructions, all existing data on - the hard disk will be destroyed! + b. Edit /etc/fstab to mark filesystems as 'multilabel'. SEBSD requires + that mounted filesystems utilize the MAC Framework file labeling + support. Entries in your fstab should be edited to add the 'multilabel' + option. Below is an example fstab file: - g. SEBSD will be installed on the machine. Once complete, - the installation program will ask a series of questions to - help configure the new system. Answer these questions as - appropriate. +# Device Mountpoint FStype Options Dump Pass# +/dev/ad0s1b none swap sw 0 0 +/dev/ad0s1a / ufs rw,multilabel 1 1 +/dev/ad0s1e /usr ufs rw,multilabel 2 2 +/dev/ad0s1d /var ufs rw,multilabel 2 2 +/dev/acd0 /cdrom cd9660 ro,noauto 0 0 -2. Reboot the system when prompted. By default, the system will boot - the MAC kernel and load the SEBSD security module (with the - default policy). The file systems have not yet been labeled, so - many warnings will be printed to the system console. If it is - necessary to boot the generic FreeBSD kernel (without the MAC - framework), comment out the following lines in /boot/loader.conf: - kernel="MAC" - sebsd_load="YES" - Alternatively, the kernel and modules to load may be selected from - the FreeBSD boot loader. Refer to the FreeBSD handbook for more - information on the boot loader. + c. Reboot the system. By default, the system will boot + the MAC kernel and load the SEBSD security module (with the + default policy). The file systems have not yet been labeled, so + not many warnings will be printed to the system console. If it is + necessary to boot the generic FreeBSD kernel (without the MAC + framework), comment out the following lines in /boot/loader.conf: + kernel="MAC" + sebsd_load="YES" + Alternatively, the kernel and modules to load may be selected from + the FreeBSD boot loader. Refer to the FreeBSD handbook for more + information on the boot loader. -4. Inspect the SEBSD policy. The system comes pre-installed with a +5. Inspect the SEBSD policy. The system comes pre-installed with a sample policy, but local changes might be required. The policy - source is located in /etc/security/sebsd/policy and the compiled - (binary) version is installed in /etc/security/sebsd/policy/policy.bin by - default. Only the binary version is loaded by the SEBSD module at - boot time. An alternate location for the binary policy file may be - specified at the boot loader or in /boot/loader.conf. The boot loader - uses a symbolic link "policy.bin" in the same directory as policy.17, - in case a different policy file version is necessary. + source is located in /etc/security/sebsd/targeted/src/policy and the + compiled (binary) version is installed in + /etc/security/sebsd/targeted/policy/policy.20 by default. Only the + binary version is loaded by the SEBSD module at boot time. An alternate + location for the binary policy file may be specified at the boot loader + or in /boot/loader.conf. - Since SEBSD uses the same policy language as SELinux, the SELinux - report titled, "Configuring the SELinux Policy", (available at the - SELinux project web site: http://www.nsa.gov/selinux/) can provide - additional information. If you make changes to the policy source, - you must re-install the modified binary policy: + Since SEBSD uses a ported version of the SELinux reference policy + the SELinux Reference Policy site at Sourceforge + (http://refpolicy.sourceforge.net) can provide additional information. + If you make changes to the policy source, you must re-compile and install + the modified binary policy: - cd /etc/security/sebsd/policy && make install + # cd /etc/security/sebsd/targeted/src/policy && gmake && gmake install If changes were made to the policy, the modified version must be - loaded into the kernel. The /sbin/sebsd_loadpolicy program can be + loaded into the kernel. The /usr/sbin/load_policy program can be used instead of a reboot: - /sbin/sebsd_loadpolicy /etc/security/sebsd/policy/policy.bin + /usr/sbin/load_policy /etc/security/sebsd/targeted/policy/policy.20 - Note that policy.bin is installed by default as a symlink to another - file. If you plan to generate your own policy file then you might - need to adjust this. - -5. Label the file system. By default, extended attribute support was - enabled during the install, but the individual files were not +6. Label the file system. In step 4b, extended attribute support was + enabled in the fstab file , but the individual filesystems were not labeled. To label all file systems, login as root and run the following command: - cd /etc/security/sebsd/policy && make relabel + cd /etc/security/sebsd/targeted/src/policy && gmake relabel + + Note that you will see several errors during the relabel process as + well as many permission denials on the system console. This is normal. -6. Reboot the machine, so that applications can use the file labels +7. Reboot the machine, so that applications can use the file labels and will be started in the correct domains. At this point, the machine will be running SEBSD with the sample @@ -119,7 +133,10 @@ To disable: sysctl security.mac.sebsd.enforcing=0 Note that with the sample policy, only root running in the sysadm_r -role is permitted to toggle the enforcement state. +role is permitted to toggle the enforcement state. Also note that +the policy currently supplied is a very early port of the SELinux +reference policy, and will likely not function properly in enforcing +mode. If you would like the machine to default to enforcing mode at boot time, you may specify a default value for this sysctl in ==== //depot/projects/trustedbsd/sebsd/SEBSD.txt#2 (text+ko) ==== @@ -1,11 +1,11 @@ SEBSD - Security-Enhanced BSD SPARTA, Inc. -SEBSD is an experimnetal implementation of NSA's FLASK and Type Enforcement -technologies, ported from SELinux use the TrustedBSD MAC Framework. SEBSD +SEBSD is an experimental implementation of NSA's FLASK and Type Enforcement +technologies, ported from SELinux using the TrustedBSD MAC Framework. SEBSD consists of the following components: -- FreeBSD 6.x source tree. +- FreeBSD 7.x source tree. - SEBSD policy module (src/sys/security/sebsd/) - NSA's FLASK security architecture, including Access Vector Cache @@ -16,13 +16,13 @@ - Modified SELinux sample policy, capable of running (with some limitations) on SEBSD. (src/contrib/sebsd/policy/) -- Modifications to the FreeBSD 6.x kernel to extend the MAC Framework to +- Modifications to the FreeBSD 7.x kernel to extend the MAC Framework to support additional labeling and enforcement points required by SEBSD. (src/sys) -- Modifications to the FreeBSD 6.x user space to support transition-based +- Modifications to the FreeBSD 7.x user space to support transition-based labeling changes as part of user credential events. (src/) -- SELinux userland components, including libsepol, libselinux, newrole, +- SELinux userland components, including libsepol, libselinux, libsemanage, and policy tools. (src/contrib/sebsd/{checkpolicy,libselinux,libsepol, - policycoreutils}/) + libsemanage,policycoreutils}/)