MAC subsystem problem (FreeBSD 7)
Borja Marcos
BORJAMAR at SARENET.ES
Fri Feb 15 04:49:35 PST 2008
Hello,
I'm trying to set up a DNS server under FreeBSD using the mac_biba
policy. I use to run
bind in low-integrity mode, so that neither it or any of its
descendants can modify
configuration files, etc.
With previous FreeBSD versions there was a handy sysctl setting,
"security.mac.enforce_socket"
that allowed to bypass the MAC restrictions for a socket. I think it's
not a bad idea.
After all machines can communicate with untrusted nodes over a
network. In my opinion,
enforcing the mac_biba restrictions so that a network communication
with a local process
behaves _differently_ than a network communication with a different
node is a bad idea.
Any reason why this setting has been eliminated? I think that the best
solution is to
keep it and let the administrator decide.
Best regards,
Borja.
More information about the freebsd-security
mailing list