Proposal: tunable default/init label for MAC policies
Andreas Jonsson
andreas at romab.com
Tue Feb 11 17:27:32 UTC 2014
On 2014-02-11 11:28, Borja Marcos wrote:
<snip>
> A tunable like security.mac.{mls,biba...}.default_label or, maybe,
> more appropiately, security.{mac,biba...}.init_lable would allow the
> administrator to, for example, limit the usage of the MAC policies to
> descendants of certain processes. In our case, with most of the OS
> having the usual Unix security requirements, except for the
> intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels
> of {mls,biba}/equal would be more than enough, applying the necessary
> labels to the untrusted processes.
>
> What do you think? I am sure this makes the MAC policies much more
> useful, and much easier to integrate with the typical Unix software
> without unnecessary incompatibilities, and of course not just for our
> particular scenario.
>
> Borja.
Hi list,
I think that being able to set the MAC process label from rc.conf would
be a better and more flexible way of moving forward, so that modifying
rc-scripts everywhere would be unnecessary.
Thinking about how to handle this in the contexts of jails would also be
nice. Currently using jail_poststart_exec to jexec with the correct
label is a bit of a pain. Perhaps there is a better way that i am
unaware of?
br
andreas
More information about the freebsd-security
mailing list