Date: Tue, 29 Jun 2004 13:23:49 -0500 From: Guy Helmer <ghelmer@palisadesys.com> To: Kevin Lyons <kevin_lyons@ofdengineering.com> Cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons Message-ID: <40E1B3B5.1020906@palisadesys.com> In-Reply-To: <40E1A6C0.2040406@ofdengineering.com>
index | next in thread | previous in thread | raw e-mail
Kevin Lyons wrote: > I was reading with some surprise that some of the MAC and other > "addons" from trusted bsd are to be incorporated. Old news. > I can already see the security advisories for these things like we've > had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad > infinitum. How many of these were developed as part of BSD? One: jail. > Is this the right way to go? We're adding more bloat while openbsd is > cleaning itself and reworking kernal memory allocation to make > exploits near impossible. That's great work. Now, let's build on that so that the entire system is properly compartmentalized (i.e., MAC). > I dloaded 5.2 but haven't installed yet. I hope there is a way to > disable the MAC and other of these "trustedbsd features" that seem to > keep DARPA funded userland people busy. Is it so much harder to look a little more deeply at the sytem than to write a troll/rant? Yes, MAC is a group of kernel compile options, and they are not shipped as part of the GENERIC kernel. From /sys/conf/NOTES: # Support for Mandatory Access Control (MAC): options MAC options MAC_BIBA options MAC_BSDEXTENDED options MAC_DEBUG options MAC_IFOFF options MAC_LOMAC options MAC_MLS options MAC_NONE options MAC_PARTITION options MAC_PORTACL options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST Please take a look at the TrustedBSD implementation before ranting about "DARPA funded userland people". There are good reasons why these people were funded. Guyhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40E1B3B5.1020906>