MAC subsystem problem (FreeBSD 7)

Borja Marcos BORJAMAR at SARENET.ES
Fri Feb 15 04:49:35 PST 2008


Hello,

I'm trying to set up a DNS server under FreeBSD using the mac_biba  
policy. I use to run
bind in low-integrity mode, so that neither it or any of its  
descendants can modify
configuration files, etc.

With previous FreeBSD versions there was a handy sysctl setting,  
"security.mac.enforce_socket"
that allowed to bypass the MAC restrictions for a socket. I think it's  
not a bad idea.
After all machines can communicate with untrusted nodes over a  
network. In my opinion,
enforcing the mac_biba restrictions so that a network communication  
with a local process
behaves _differently_ than a network communication with a different  
node is a bad idea.

Any reason why this setting has been eliminated? I think that the best  
solution is to
keep it and let the administrator decide.


Best regards,






Borja.



More information about the freebsd-security mailing list