From owner-p4-projects@FreeBSD.ORG Thu Feb 9 18:11:06 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 70E3E16A424; Thu, 9 Feb 2006 18:11:05 +0000 (GMT) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45DD816A420 for ; Thu, 9 Feb 2006 18:11:05 +0000 (GMT) (envelope-from deker@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id F246F43D48 for ; Thu, 9 Feb 2006 18:11:03 +0000 (GMT) (envelope-from deker@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k19IB3xv025454 for ; Thu, 9 Feb 2006 18:11:03 GMT (envelope-from deker@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k19IB371025451 for perforce@freebsd.org; Thu, 9 Feb 2006 18:11:03 GMT (envelope-from deker@FreeBSD.org) Date: Thu, 9 Feb 2006 18:11:03 GMT Message-Id: <200602091811.k19IB371025451@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to deker@FreeBSD.org using -f From: Rob Deker To: Perforce Change Reviews Cc: Subject: PERFORCE change 91434 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 18:11:06 -0000 http://perforce.freebsd.org/chv.cgi?CH=91434 Change 91434 by deker@deker_build1.columbia.sparta.com on 2006/02/09 18:10:49 Updates to build instructions: - McAfee -> SPARTA - updated to reflect policy module name change - updated PAM config info - misc small changes Affected files ... .. //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#3 (text+ko) ==== @@ -6,7 +6,7 @@ Install Mac OS X 10.3.8 using the directions found in system-setup.txt. - If working within the McAfee Research development environment, install + If working within the SPARTA ISSO development environment, install Perforce and configure the Perforce client using the directions found in perforce-client.txt. @@ -17,7 +17,7 @@ Step 2: Check out source tree In this step, check the source tree out of Perforce, or untar the - distribution tarball. If working within the McAfee Research development + distribution tarball. If working within the SPARTA ISSO development environment, check out the source code using the directions found in perforce-checkout.txt. @@ -137,7 +137,7 @@ the older modules will be incompatible. Remove the appropriate KEXT bundles from /System/Library/Extensions. For example: - $ sudo rm -rf /System/Library/Extensions/sedarwin.kext + $ sudo rm -rf /System/Library/Extensions/mac_sedarwin.kext $ sudo rm -rf /System/Library/Extensions/mac_test.kext @@ -191,13 +191,13 @@ Step 11: Update PAM configuration - Add the following line: + Copy the SEDarwin versions of the sshd and login pam configuration files + and modify them as necessary for your site. - session required pam_lctx.so + $ sudo cp /etc/pam.d/sshd.sedarwin /etc/pam.d/sshd + $ sudo cp /etc/pam.d/login.sedarwin /etc/pam.d/login - at the end of the /etc/pam.d/login and /etc/pam.d/sshd files. - -Step 12(a): Create Extended Attribute File (SEDarwin only) +Step 12: Create Extended Attribute File The distribution includes a shell script that creates an extended attribute backing file for the SEDarwin policy module. Run the script: @@ -215,15 +215,6 @@ 256 /Volumes/Spare/.attribute/system/sebsd -Step 12(b): Create Extended Attribute File (MLS only) - - Run the following two commands to allocate storage space for MLS - labels on the root file system. - - $ sudo mkdir -p /.attribute/system - $ sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls - - Step 13: Configure Policy path (SEDarwin only) The system boot loader needs to know where the SEDarwin policy file is @@ -253,20 +244,20 @@ user will be unable to login. -Step 14: Reboot in Single User Mode (SEDarwin only) +Step 14: Reboot in Single User Mode At this point, you should now have a new Darwin kernel, support libraries, command line tools, and configuration files installed. Reboot to single-user mode by holding down Command-S during the boot. Check the file system and mount the root file system writable: - $ /sbin/fsck -y - $ /sbin/mount -uw / + # /sbin/fsck -y + # /sbin/mount -uw / Now set the label on various binaries so they can transition during system startup: - $ sudo /etc/sedarwin/sebsd-relabel.sh + # /etc/sedarwin/sebsd-relabel.sh Missing this step will result in the login window failing to start, login attempts failing, or the entire system not working if enforcing @@ -289,12 +280,16 @@ Step 16: Verify System Functionality - When you log in to the system - After booting and logging into the system, verify that you have booted - to the correct kernel by running 'uname -a'. + After rebooting, log in on the graphical console. After you have + entered your password you will be presented with an additional + menu where you may select from your available intial security + contexts. If your username is not listed in the + /etc/sedarwin/policy/users file, the security context listed in + /etc/sedarwin/failsafe_context will be used. + + After you have logged in, you can run 'kextstat' to verify that + the selected security modules have been loaded: - You can run 'kextstat' to verify that the selected security modules - have been loaded: $ kextstat |head Index Refs Address Size Wired Name (Version) 1 1 0x5ec9000 0x19000 0x18000 security.sedarwin (*)