Date: Thu, 9 Feb 2006 18:11:03 GMT From: Rob Deker <deker@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 91434 for review Message-ID: <200602091811.k19IB371025451@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=91434 Change 91434 by deker@deker_build1.columbia.sparta.com on 2006/02/09 18:10:49 Updates to build instructions: - McAfee -> SPARTA - updated to reflect policy module name change - updated PAM config info - misc small changes Affected files ... .. //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#3 (text+ko) ==== @@ -6,7 +6,7 @@ Install Mac OS X 10.3.8 using the directions found in system-setup.txt. - If working within the McAfee Research development environment, install + If working within the SPARTA ISSO development environment, install Perforce and configure the Perforce client using the directions found in perforce-client.txt. @@ -17,7 +17,7 @@ Step 2: Check out source tree In this step, check the source tree out of Perforce, or untar the - distribution tarball. If working within the McAfee Research development + distribution tarball. If working within the SPARTA ISSO development environment, check out the source code using the directions found in perforce-checkout.txt. @@ -137,7 +137,7 @@ the older modules will be incompatible. Remove the appropriate KEXT bundles from /System/Library/Extensions. For example: - $ sudo rm -rf /System/Library/Extensions/sedarwin.kext + $ sudo rm -rf /System/Library/Extensions/mac_sedarwin.kext $ sudo rm -rf /System/Library/Extensions/mac_test.kext @@ -191,13 +191,13 @@ Step 11: Update PAM configuration - Add the following line: + Copy the SEDarwin versions of the sshd and login pam configuration files + and modify them as necessary for your site. - session required pam_lctx.so + $ sudo cp /etc/pam.d/sshd.sedarwin /etc/pam.d/sshd + $ sudo cp /etc/pam.d/login.sedarwin /etc/pam.d/login - at the end of the /etc/pam.d/login and /etc/pam.d/sshd files. - -Step 12(a): Create Extended Attribute File (SEDarwin only) +Step 12: Create Extended Attribute File The distribution includes a shell script that creates an extended attribute backing file for the SEDarwin policy module. Run the script: @@ -215,15 +215,6 @@ 256 /Volumes/Spare/.attribute/system/sebsd -Step 12(b): Create Extended Attribute File (MLS only) - - Run the following two commands to allocate storage space for MLS - labels on the root file system. - - $ sudo mkdir -p /.attribute/system - $ sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls - - Step 13: Configure Policy path (SEDarwin only) The system boot loader needs to know where the SEDarwin policy file is @@ -253,20 +244,20 @@ user will be unable to login. -Step 14: Reboot in Single User Mode (SEDarwin only) +Step 14: Reboot in Single User Mode At this point, you should now have a new Darwin kernel, support libraries, command line tools, and configuration files installed. Reboot to single-user mode by holding down Command-S during the boot. Check the file system and mount the root file system writable: - $ /sbin/fsck -y - $ /sbin/mount -uw / + # /sbin/fsck -y + # /sbin/mount -uw / Now set the label on various binaries so they can transition during system startup: - $ sudo /etc/sedarwin/sebsd-relabel.sh + # /etc/sedarwin/sebsd-relabel.sh Missing this step will result in the login window failing to start, login attempts failing, or the entire system not working if enforcing @@ -289,12 +280,16 @@ Step 16: Verify System Functionality - When you log in to the system - After booting and logging into the system, verify that you have booted - to the correct kernel by running 'uname -a'. + After rebooting, log in on the graphical console. After you have + entered your password you will be presented with an additional + menu where you may select from your available intial security + contexts. If your username is not listed in the + /etc/sedarwin/policy/users file, the security context listed in + /etc/sedarwin/failsafe_context will be used. + + After you have logged in, you can run 'kextstat' to verify that + the selected security modules have been loaded: - You can run 'kextstat' to verify that the selected security modules - have been loaded: $ kextstat |head Index Refs Address Size Wired Name (Version) <Linked Against> 1 1 0x5ec9000 0x19000 0x18000 security.sedarwin (*)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602091811.k19IB371025451>