PERFORCE change 41607 for review

Robert Watson rwatson at FreeBSD.org
Fri Nov 7 01:29:35 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=41607

Change 41607 by rwatson at rwatson_paprika on 2003/11/06 17:28:38

	Document MAC_ALWAYS_LABEL_MBUF and MAC_STATIC, mac_lomac_load,
	mac_portacl_load.

Affected files ...

.. //depot/projects/trustedbsd/mac/MACREADME#25 edit

Differences ...

==== //depot/projects/trustedbsd/mac/MACREADME#25 (text+ko) ====

@@ -8,6 +8,8 @@
 
 options		MAC			# Mandatory Access Control
 #options 	MAC_DEBUG		# Might also be useful
+#options 	MAC_ALWAYS_LABEL_MBUF	# Don't conditionally label mbufs
+#options 	MAC_STATIC		# Optimize out dynamic loading support
 
 Rebuild and reinstall world and kernel.  Make sure that login.conf is
 in sync with that provided in the MAC repository, and that login.conf.db
@@ -21,11 +23,13 @@
 mac_biba_load="NO"              # Biba MAC policy		(boot only)
 mac_bsdextended_load="NO"       # BSD/extended MAC policy
 mac_ifoff="NO"                  # Interface silencing policy
+mac_lomac_load="NO"		# Low-Watermark Mandatory Access Control
 mac_mls_load="NO"               # MLS MAC policy		(boot only)
 mac_none_load="NO"              # Null MAC policy
 mac_partition_load="NO"		# Partition MAC policy
+mac_portacl_load="NO"		# IP port access control lists
 mac_seeotheruids_load="NO"      # UID visbility MAC policy
-sebsd_load="NO"			# Port of SELinux/FLASK		(boot only)
+mac_test_load="NO"		# Regression test module
 
 
 Kernel options known not to work with MAC
@@ -73,9 +77,7 @@
 The NFS server code in many places currently ignores MAC protection.
 This may or may not be the best behavior, as in the past NFS could
 always override discretionary access control due to running in the
-kernel as root all the time.  However, because NFS sometimes invokes
-higher level VFS functionality, such as namei(), MAC protections
-may be inconsistently enforced.  CODA support is probably in the same
+kernel as root all the time.  CODA support is probably in the same
 condition.
 
 Client-side NFS locking is known to Do The Wrong Thing, for a variety
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list