PF and MAC framework - panic

[Björn König]

Odhiambo Washington schrieb:
> Hello everyone,
> 
> 
> I'm a PF newbie only from this week. I've been using IPFilter all along.
> On my 6.0 box acting as a router, I was also playing with Mandatory
> Access Control, especially mac_lomac. This seemed to work with IPFilter
> but the moment I switched to PF, the machine would panic and reboot.
> 
> I had mac_lomac_enable="YES" in /boot/loader.conf. This is after I
> compiled a kernel with " options MAC".
> in /etc/sysctl.conf I had the following:
> 
> security.mac.lomac.enabled=1
> security.mac.lomac.revocation_enabled=1
> security.mac.lomac.ptys_equal=1
> 
> And in /etc/rc.conf, all active interfaces were configured with
> "maclabel lomac/equal" added to the ifconfig args.
> 
> I'd switch from ipfilter/ipnat to PF by flushing rules in this order:
> ipf -Fa
> ipnat -FC
> 
> pfctl -e
> pfctl -f /etc/pf.conf
> 
> At this juncture, the box would panic:
> 
> panic: mac_lomac_dominate_element: a->mle_type invalid.
> A memory dump would then occur and the box reboots.
> 
> I went a step ahead: disabled IPFilter in rc.conf and enabled
> PF and rebooted. The box would fail to reboot in this case and
> panic over and over until I disabled mac_lomac_enable="YES" in
> /boot/loader.conf, the relevant entries in rc.conf and sysctl.conf
> 
> Anyone using MAC who can reproduce the same?

Not exactly the same, but I had similar problems with mac_mls using pf. 
These panics occur because pf is imported from OpenBSD and not aware of 
using MAC at all; in fact it ignores MAC completely and thus it breaks 
policies. The best thing that you can do now is either to avoid using 
MAC or to use ipfw instead of pf.

Regards
Björn