From owner-p4-projects@FreeBSD.ORG Thu Nov 6 17:29:37 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id C836B16A4D0; Thu, 6 Nov 2003 17:29:36 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A203116A4CE for ; Thu, 6 Nov 2003 17:29:36 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3B4443F75 for ; Thu, 6 Nov 2003 17:29:35 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hA71TZXJ085725 for ; Thu, 6 Nov 2003 17:29:35 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hA71TZ2p085721 for perforce@freebsd.org; Thu, 6 Nov 2003 17:29:35 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Thu, 6 Nov 2003 17:29:35 -0800 (PST) Message-Id: <200311070129.hA71TZ2p085721@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 41607 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 01:29:37 -0000 http://perforce.freebsd.org/chv.cgi?CH=41607 Change 41607 by rwatson@rwatson_paprika on 2003/11/06 17:28:38 Document MAC_ALWAYS_LABEL_MBUF and MAC_STATIC, mac_lomac_load, mac_portacl_load. Affected files ... .. //depot/projects/trustedbsd/mac/MACREADME#25 edit Differences ... ==== //depot/projects/trustedbsd/mac/MACREADME#25 (text+ko) ==== @@ -8,6 +8,8 @@ options MAC # Mandatory Access Control #options MAC_DEBUG # Might also be useful +#options MAC_ALWAYS_LABEL_MBUF # Don't conditionally label mbufs +#options MAC_STATIC # Optimize out dynamic loading support Rebuild and reinstall world and kernel. Make sure that login.conf is in sync with that provided in the MAC repository, and that login.conf.db @@ -21,11 +23,13 @@ mac_biba_load="NO" # Biba MAC policy (boot only) mac_bsdextended_load="NO" # BSD/extended MAC policy mac_ifoff="NO" # Interface silencing policy +mac_lomac_load="NO" # Low-Watermark Mandatory Access Control mac_mls_load="NO" # MLS MAC policy (boot only) mac_none_load="NO" # Null MAC policy mac_partition_load="NO" # Partition MAC policy +mac_portacl_load="NO" # IP port access control lists mac_seeotheruids_load="NO" # UID visbility MAC policy -sebsd_load="NO" # Port of SELinux/FLASK (boot only) +mac_test_load="NO" # Regression test module Kernel options known not to work with MAC @@ -73,9 +77,7 @@ The NFS server code in many places currently ignores MAC protection. This may or may not be the best behavior, as in the past NFS could always override discretionary access control due to running in the -kernel as root all the time. However, because NFS sometimes invokes -higher level VFS functionality, such as namei(), MAC protections -may be inconsistently enforced. CODA support is probably in the same +kernel as root all the time. CODA support is probably in the same condition. Client-side NFS locking is known to Do The Wrong Thing, for a variety