PERFORCE change 107308 for review

Todd Miller millert at FreeBSD.org
Thu Oct 5 07:39:15 PDT 2006


http://perforce.freebsd.org/chv.cgi?CH=107308

Change 107308 by millert at millert_macbook on 2006/10/05 14:33:30

	Bring installation notes closer to reality wrt refpolicy

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/sefos-install.txt#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/sefos-install.txt#2 (text+ko) ====

@@ -200,23 +200,19 @@
   $ sudo cp /etc/pam.d/login.sedarwin /etc/pam.d/login
 
 
-Step 11: Configure Policy
+Step 11: Configure Policy (optional)
 
-  The SEDarwin policy sources are located in the /etc/sedarwin/policy
-  directory.  Our sample policy file, users, ships with some predefined
-  users.  You should add entries for your own user accounts based on one
-  of the existing entries.  Make changes as needed, rebuild, and install
-  the binary policy file:
+  By default, SEDarwin uses a targeted policy.  As such there
+  it is no longer necessary specify each user in the policy itself.
+  If you wish to make changes to the policy, you may edit the
+  sources in the /etc/sedarwin/refpolicy/src/policy directory.
+  Make changes as needed, rebuild, and install the binary policy file:
 
-    $ cd /etc/sedarwin/policy
+    $ cd /etc/sedarwin/refpolicy/src/policy
     [edit as root]
     $ sudo make
     $ sudo make install
 
-  NOTE: If a user logs in who is not listed in the users file, the
-  contents of /etc/sedarwin/failsafe_context will be used as the
-  context for the user.  If that file does not exist, the unlisted
-  user will be unable to login.
 
 Step 12: Reboot in Single User Mode
 
@@ -225,13 +221,13 @@
   Reboot to single-user mode by holding down Command-S during the boot.
   Check the file system and mount the root file system writable:
 
-    # /sbin/fsck -y
+    # /sbin/fsck -p
     # /sbin/mount -uw /
 
   Now set the label on various binaries so they can transition during
   system startup:
 
-    # /etc/sedarwin/sebsd-relabel.sh
+    # /usr/bin/setfiles /etc/sedarwin/refpolicy/contexts/files/file_contexts /
 
   Skipping this step will result in the login window failing to start,
   login attempts failing, or the entire system not working if enforcing
@@ -240,9 +236,6 @@
 
 Step 13: Reboot
 
-  A reboot is required in order for the extended attributes to be
-  recognized by the system.
-
   If you were in single user mode to set initial file labels, run
   'reboot' from the console.  Otherwise, restart the machine normally.
 
@@ -252,9 +245,10 @@
   After rebooting, log in on the graphical console.  After you have
   entered your password you will be presented with an additional
   menu where you may select from your available intial security
-  contexts.  If your username is not listed in the
-  /etc/sedarwin/policy/users file, the security context listed in
-  /etc/sedarwin/failsafe_context will be used.
+  contexts.  If your username does not have an entry in the
+  /etc/sedarwin/refpolicy/contexts/users/ directory a default context
+  will be used.  For the default (targeted) policy this is will be
+  user_u:system_r:unconfined_t.
 
   After you have logged in, you can run 'kextstat' to verify that
   the selected security modules have been loaded:
@@ -273,7 +267,7 @@
   If the SEDarwin policy is loaded, you will see something like the following:
 
     $ getpmac
-    sebsd/jdoe:user_r:user_d
+    sebsd/user_u:system_r:unconfined_t
 
 
     $ getfmac /bin/bash
@@ -285,7 +279,7 @@
     sebsd/system_u:system_r:init_d       1  ??  Ss     0:00.09 /sbin/init
     sebsd/system_u:system_r:init_d       2  ??  Ss     1:55.32 /sbin/mach_i
     sebsd/system_u:system_r:pbs_d      343  ??  Ss     0:00.27 /System/Libr
-    sebsd/cvance:user_r:user_d         349  ??  S      0:00.96 /System/Libr
+    sebsd/user_u:system_r:unconfined_t 349  ??  S      0:00.96 /System/Libr
       ...
 
 


More information about the trustedbsd-cvs mailing list