PERFORCE change 41607 for review
Robert Watson
rwatson at FreeBSD.org
Thu Nov 6 17:29:37 PST 2003
http://perforce.freebsd.org/chv.cgi?CH=41607
Change 41607 by rwatson at rwatson_paprika on 2003/11/06 17:28:38
Document MAC_ALWAYS_LABEL_MBUF and MAC_STATIC, mac_lomac_load,
mac_portacl_load.
Affected files ...
.. //depot/projects/trustedbsd/mac/MACREADME#25 edit
Differences ...
==== //depot/projects/trustedbsd/mac/MACREADME#25 (text+ko) ====
@@ -8,6 +8,8 @@
options MAC # Mandatory Access Control
#options MAC_DEBUG # Might also be useful
+#options MAC_ALWAYS_LABEL_MBUF # Don't conditionally label mbufs
+#options MAC_STATIC # Optimize out dynamic loading support
Rebuild and reinstall world and kernel. Make sure that login.conf is
in sync with that provided in the MAC repository, and that login.conf.db
@@ -21,11 +23,13 @@
mac_biba_load="NO" # Biba MAC policy (boot only)
mac_bsdextended_load="NO" # BSD/extended MAC policy
mac_ifoff="NO" # Interface silencing policy
+mac_lomac_load="NO" # Low-Watermark Mandatory Access Control
mac_mls_load="NO" # MLS MAC policy (boot only)
mac_none_load="NO" # Null MAC policy
mac_partition_load="NO" # Partition MAC policy
+mac_portacl_load="NO" # IP port access control lists
mac_seeotheruids_load="NO" # UID visbility MAC policy
-sebsd_load="NO" # Port of SELinux/FLASK (boot only)
+mac_test_load="NO" # Regression test module
Kernel options known not to work with MAC
@@ -73,9 +77,7 @@
The NFS server code in many places currently ignores MAC protection.
This may or may not be the best behavior, as in the past NFS could
always override discretionary access control due to running in the
-kernel as root all the time. However, because NFS sometimes invokes
-higher level VFS functionality, such as namei(), MAC protections
-may be inconsistently enforced. CODA support is probably in the same
+kernel as root all the time. CODA support is probably in the same
condition.
Client-side NFS locking is known to Do The Wrong Thing, for a variety
More information about the p4-projects
mailing list