PERFORCE change 15966 for review
Robert Watson
rwatson at freebsd.org
Wed Aug 14 14:38:56 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15966
Change 15966 by rwatson at rwatson_tislabs on 2002/08/14 07:37:57
Updates to the MAC notes, including commenting on the fact that
running X11 with MLS can result in problems, as kernel memory
is currently labeled as mls/high by default, but user processes
run at mls/low by default.
Affected files ...
.. //depot/projects/trustedbsd/mac/MACREADME#21 edit
Differences ...
==== //depot/projects/trustedbsd/mac/MACREADME#21 (text+ko) ====
@@ -92,7 +92,8 @@
of reasons. Unlike the other components of the kernel NFS client,
it doesn't use the mount-time credential to authorize out-going RPC
delivery, uses an odd selection of kernel credential to act on the
-FIFO, etc.
+FIFO, etc. (This is now largely fixed due to moving VFS protections
+higher in the stack)
Things not to do with MAC
-------------------------
@@ -116,7 +117,12 @@
Don't use netboot without setting the loader.conf setting to indicate
to Biba which interface is trusted. Otherwise, the NFS client will
-fail as it cannot send packets via the interface. (This may be broken).
+fail as it cannot send packets via the interface.
+
+Don't expect X11 to work with MLS enabled if you try to run X11 at
+mls/low (the default). This won't work because XFree86 expects to
+be able to map video memory, and by default video memory is labeled
+as mls/high so as to be conservative.
Things that look like they should work but don't
------------------------------------------------
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list