PERFORCE change 52372 for review
Andrew Reisse
areisse at FreeBSD.org
Thu May 6 12:35:04 PDT 2004
http://perforce.freebsd.org/chv.cgi?CH=52372
Change 52372 by areisse at areisse_ibook on 2004/05/06 12:34:35
clean up usage section
Affected files ...
.. //depot/projects/trustedbsd/sedarwin73/README#4 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin73/README#4 (text+ko) ====
@@ -35,16 +35,20 @@
Usage:
Following the build instructions will yield a system with sedarwin installed,
and the sample TE policy configured. To test some functionality, enable
-enforcing mode (by default, the TE module runs in permissive mode, logging
-access control failures but not enforcing them) and set some file labels:
+enforcing mode by running "sudo nvram kenv_sebsd_enforce=1" from the shell
+(by default, the TE module runs in permissive mode, logging
+access control failures but not enforcing them) and set some file labels.
+TE labels are of the form user:role:type. When passed to or from the
+system, labels begin with the name of the policy module (in this case,
+sebsd). Objects use the object_r "role".
+
$ getpmac
sebsd/andrew:user_r:user_d
-(TE labels are of the form user:role:type. The sebsd/ indicates that the
-label is for the sebsd policy module. Objects use the object_r "role".)
$ touch test_readonly
$ setfmac sebsd/andrew:object_r:readonly_t test_readonly
$ echo > test_readonly
test_readonly: Permission denied
+
$ touch test_secret
$ setfmac sebsd/andrew:object_r:secret_t test_secret
$ cat test_secret
@@ -56,7 +60,9 @@
sebsd/andrew:user_r:protected_d
2$ echo $$
700
-In the original shell,
+Back in the original shell,
+$ getpmac
+sebsd/andrew:user_r:user_d
$ kill 700
-bash: kill (700) - Operation not permitted
$
More information about the p4-projects
mailing list