PERFORCE change 15311 for review

Robert Watson rwatson at freebsd.org
Wed Jul 31 15:26:46 GMT 2002 

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15311

Change 15311 by rwatson at rwatson_tislabs on 2002/07/31 08:26:17

	Update MAC notes.

Affected files ...

.. //depot/projects/trustedbsd/mac/MACREADME#20 edit

Differences ...

==== //depot/projects/trustedbsd/mac/MACREADME#20 (text+ko) ====

@@ -22,21 +22,16 @@
 others may be loaded when needed before or after the boot.  The
 following loader.conf lines are currently relevant:
 
-babyaudit_load="NO"             # Baby auditing module
 mac_biba_load="NO"              # Biba MAC policy		(boot only)
 mac_bsdextended_load="NO"       # BSD/extended MAC policy
 mac_ifoff="NO"                  # Interface silencing policy
 mac_mls_load="NO"               # MLS MAC policy		(boot only)
 mac_none_load="NO"              # Null MAC policy
+mac_partition_load="NO"		# Partition MAC policy
 mac_seeotheruids_load="NO"      # UID visbility MAC policy
 mac_te_load="NO"                # Type Enforcement policy	(boot only)
-
-To include support for SEBSD, a port of the NSA FLASK and SELinux TE
-implementations, add the following kernel option:
+sebsd_load="NO"			# Port of SELinux/FLASK		(boot only)
 
-options 	SEBSD
-
-This will be available as a module also in due course.
 
 Kernel options known not to work with MAC
 -----------------------------------------
@@ -54,6 +49,7 @@
 
 Using those options may result in incorrect security behavior, memory
 corruption, or a kernel panic.  They do not work with MAC at this time.
+They should work correctly using GENERIC.
 
 Kernel SLIP support may not work correctly, as outgoing mbufs are not
 labeled due to lack of a label to apply.  Probably, the label should be
@@ -82,13 +78,15 @@
 The NFS server code in many places currently ignores MAC protection.
 This may or may not be the best behavior, as in the past NFS could
 always override discretionary access control due to running in the
-kernel as root all the time.  CODA support is probably in the same
+kernel as root all the time.  However, because NFS sometimes invokes
+higher level VFS functionality, such as namei(), MAC protections
+may be inconsistently enforced.  CODA support is probably in the same
 condition.
 
-Currently, non-FreeBSD ABIs are not supported.  This includes the Linux
-compatibility layer, and other related components (SCO, et al).  They
-will likely not correctly check MAC operations in all cases that the
-normal FreeBSD ABI code does.
+Currently, non-FreeBSD ABIs are not fully supported.  This includes
+the Linux compatibility layer, and other related components (SCO, et al).
+They will likely not correctly check MAC operations in all cases that the
+normal FreeBSD ABI code does; the status of the ABIs is improving.
 
 Client-side NFS locking is known to Do The Wrong Thing, for a variety
 of reasons.  Unlike the other components of the kernel NFS client,
@@ -118,7 +116,7 @@
 
 Don't use netboot without setting the loader.conf setting to indicate
 to Biba which interface is trusted.  Otherwise, the NFS client will
-fail as it cannot send packets via the interface.
+fail as it cannot send packets via the interface.  (This may be broken).
 
 Things that look like they should work but don't
 ------------------------------------------------
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list