How to make/build/install ?
Robert Watson
rwatson at FreeBSD.org
Mon Feb 23 13:24:55 GMT 2004
On 22 Feb 2004, Hassan H. Monfared wrote:
> I'm new in TrustedBSD. I got all sources of TrustedBSD via cvs using
> sample supfile. now, how can I Build and install the new Sources on my
> FreeBSD 5.2 RC2 ?
>
> thanks if any body reply me.
The exact install method depends a bit on which pieces you want to try
out. The MAC Framework as found in the MAC branch or the FreeBSD source
code distribution requires the following:
(1) Create a custom kernel configuration with at least "options MAC" added
to it. You may want to compile policies in, or you might want to load
them as modules. If experimenting, I suggest modules; also, this will
make the bootstrapping process easier if there are ABI changes.
(2) Build world using "make buildworld" or some reasonable approximation
(see the FreeBSD build instructions).
(3) Build a kernel using your customized kernel configuration -- typically
"make buildkernel KERNCONF=MYKERNEL".
(4) Assuming all the builds went well, do an installkernel, and then
reboot to get the new system calls, etc.
(5) Do an installworld.
(6) Use mergemaster to merge the new contents of src/etc into your /etc.
(7) Tweak /etc/loader.conf to load the MAC policies you are interested in.
Typically using lines something like the following:
mac_biba_load="YES"
mac_test_load="YES"
The loader.conf man page has been updated to list the new options for
MAC modules. The mac(9) man page has cross references to most of the
policy modules we ship.
(8) If you're using a policy that labels users on login, you'll need to
modify /etc/login.conf and rebuild the hashed database. In
particular, you'll need to add a "label" entry to the login classes
for users who will be logging in to indicate their default label on
login. The login.conf(5) man page describes the file format; remember
to rebuild the file using cap_mkdb. If you're using mac_biba, a label
such as "biba/high(low-high)" will log the user in using high
integrity by default, but allow them to change their integrity level.
If using a labeled policy, you'll also generally want to use
multilabel file systems (where each file has a different label, rather
than the file system having a single label). You need to set the
multilabel flag using "tunefs -l enable /filesystemname" from
single-user mode. Reboot (or remount, check the mount flags using
the mount command to make sure the multilabel flag got set).
You'll also need to relabel the user's home directory, and unless you
set up per-user temporary directories using TMPDIR in login.conf,
you'll need to override integrity protections on /tmp using "setfmac
biba/equal /tmp /var/tmp /var/tmp/vi.recover".
This is an area where we're working to improve usability -- in
particular, we plan to move to a separate database file for user
labels rather than using the system capability database, and also
provide default labeling configurations to use with setfsmac for more
policies.
The label-free policies require minimal (or no) configuration, in
general.
(9) Reboot.
You'll want to consult the man page for the policies you want to try out.
If you're using the SEBSD branch, the steps are a little different. I'm
having trouble finding the installation insturctions in the SEBSD
repository, so I think we must not be keeping that version up-to-date,
I'll dig up a copy when I get back from a meeting today, commit it to the
repository if it wasn't there already, and mail you a copy.
The version of the MAC Framework in the FreeBSD 5-CURRENT source tree is
largely the same as the version in the MAC branch, but differs
substantially from the version in the SEBSD branch.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list