PERFORCE change 87616 for review

Todd Miller millert at FreeBSD.org
Thu Dec 1 22:04:07 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=87616

Change 87616 by millert at millert_g4tower on 2005/12/01 22:03:55

	Attempt to update to reality after wslogin -> LoginWindow
	plugin changes.  apiabi.txt needs more work.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/docs/apiabi.txt#3 edit
.. //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/docs/apiabi.txt#3 (text+ko) ====

@@ -116,6 +116,9 @@
 
 int getlcid();
 int setlcid();
+int __mac_get_lcid();
+int __mac_get_lctx();
+int __mac_set_lctx();
 
   New System Controls - MAC Framework
 
@@ -362,13 +365,33 @@
 
 Set the MAC label of the current process, then execute a command.
 
+  New Command Line Utilities - login contexts
+
+lcs(1)
+
+Show information about existing login contexts.
+
+getlcmac(8)
+
+Print login context related MAC labels.
+
+setlcmac(8)
+
+Change the MAC login context label.
+
   New Command Line Utilities - SEDarwin
 
 checkpolicy(8)
+
+Check a policy for correctness and convert to binary format.
+
 loadpolicy(8)
-newrole(8)
-relabel_gui
-wslogin
+
+XXX - not yet supported.
+
+sebsd_newrole(8)
+
+Run a shell with a new role.
 
   Modifications to Existing System Services
 

==== //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#2 (text+ko) ====

@@ -2,9 +2,9 @@
 evolves.
 
 
-Step 1: Mac OS X Panther 10.3.3
+Step 1: Mac OS X Panther 10.3.8
 
-  Install Mac OS X 10.3.3 using the directions found in system-setup.txt.
+  Install Mac OS X 10.3.8 using the directions found in system-setup.txt.
 
   If working within the McAfee Research development environment, install
   Perforce and configure the Perforce client using the directions found
@@ -54,7 +54,7 @@
 
     BUILD_MODULES   ?= sedarwin ipctrace mactest mac_mls mac_none mac_stub \
 			stacktrace
-    INSTALL_MODULES ?= mac_mls
+    INSTALL_MODULES ?= sedarwin
 
   If modules are built but not installed, you can install them later by
   extracting the *.kext.tar tarfile from the module source directory
@@ -90,7 +90,7 @@
   including kernel, libraries, program binaries, and policy modules, run
   the following command from the root of the source tree:
 
-    make
+    $ make
 
 
 Step 5: Prepare distribution directory 
@@ -99,7 +99,7 @@
   temporary distribution directory, run the following command from the top
   level of the source tree:
      
-    make install
+    $ make install
 
 
 Step 6: Create system upgrade tarfile
@@ -108,14 +108,14 @@
   binaries, run the following command from the top level of the source
   tree:
 
-    make dist
+    $ make dist
 
   This will create a compressed tarfile from the temporary distribution
   directory.  The file will be called, "sedarwin.tgz" and it will be
   created in the root of the source tree.
 
   This tarfile can be used to install on the current machine, or any other
-  appropriately updated 10.3.3 system.  The following steps presume that
+  appropriately updated 10.3.8 system.  The following steps presume that
   you have copied the tar file to the target machine.
 
 
@@ -137,8 +137,8 @@
   the older modules will be incompatible.  Remove the appropriate KEXT
   bundles from /System/Library/Extensions.  For example:
 
-    sudo rm -rf /System/Library/Extensions/sedarwin.kext
-    sudo rm -rf /System/Library/Extensions/mac_test.kext
+    $ sudo rm -rf /System/Library/Extensions/sedarwin.kext
+    $ sudo rm -rf /System/Library/Extensions/mac_test.kext
 
 
 Step 8: Backup files
@@ -153,36 +153,56 @@
   
   Extract the distribution tarfile from the root of the target machine:
 
-    cd /
-    sudo gnutar xvzf sedarwin.tgz
+    $ cd /
+    $ sudo tar zxf sedarwin.tgz
 
   Note, there may be some remaining issues with the way in which the boot
   loader has been replaced.  To be safe, it is best to run the bless
   command to make certain the partition will still be bootable:
 
-    sudo bless -folder /System/Library/CoreServices \
+    $ sudo bless -folder /System/Library/CoreServices \
         -bootinfo /usr/standalone/ppc/bootx.bootinfo
 
   Also note that if bless is being used to mark a partition that is
   different from the current partition that the appropriate /Volume/<name>
   path should be prepended each filename in the above command, and the
-  -setBoot option should also be added.
+  "-setBoot" option should also be added.
+
+
+Step 10: Enable and Configure MAC.loginPlugin
+
+  The MAC.loginPlugin must be enabled.  After a new install the maclogin
+  command must be run to prepare the system for using the MAC.loginPlugin:
+
+    $ sudo /usr/bin/maclogin
+    [follow instructions]
+
+  After this is performed, further invocations of the maclogin script
+  allow the MAC.loginPlugin to be enabled and disabled.  SEDarwin requires
+  that the MAC.loginPlugin to be enabled:
+
+    $ sudo /usr/bin/maclogin enable
+
+  Copy /etc/MAClogin.conf.sample to /etc/MAClogin.conf:
+
+    $ sudo cp /etc/MAClogin.conf.sample /etc/MAClogin.conf
+
+  The default values are correct for SEDarwin.
 
-Step 10: Backup and Replace the WindowServer (SEDarwin only)
+Step 11: Update PAM configuration
 
-  The distribution includes a shell script to replace Apple's Login Window
-  application with a wrapper that modifies the login process.  Run the
-  script:
+  Add the following line:
 
-    sudo /etc/sedarwin/install-windowserver.sh
+    session	required	pam_lctx.so
 
+  at the end of the /etc/pam.d/login and /etc/pam.d/sshd files.
 
-Step 11(a): Create Extended Attribute File (SEDarwin only)
+Step 12(a): Create Extended Attribute File (SEDarwin only)
 
   The distribution includes a shell script that creates an extended
   attribute backing file for the SEDarwin policy module.  Run the script:
 
-     sudo /etc/sedarwin/create-extattr.sh
+    $ sudo /etc/sedarwin/create-extattr.sh
 
   This will allocate storage space for MAC labels on the root file system.  
   You may wish to run similar commands on other file systems, but it is
@@ -195,49 +215,58 @@
         256 /Volumes/Spare/.attribute/system/sebsd
 
 
-Step 11(b): Create Extended Attribute File (MLS only)
+Step 12(b): Create Extended Attribute File (MLS only)
 
   Run the following two commands to allocate storage space for MLS
   labels on the root file system.
 
-    sudo mkdir -p /.attribute/system
-    sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls
+    $ sudo mkdir -p /.attribute/system
+    $ sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls
 
 
-Step 12: Configure Policy path (SEDarwin only)
+Step 13: Configure Policy path (SEDarwin only)
 
   The system boot loader needs to know where the SEDarwin policy file is
   located; at boot time, it reads the location from the system firmware.  
-  Set the location in the firmware with the following command:
+  Set the location in the firmware with the following commands:
 
-    sudo nvram load_sebsd_policy=policy.16
+    $ sudo nvram load_sebsd_policy=policy.16
+    $ sudo nvram load_sebsd_migscs=sebsd_migscs
 
   Our sample policy file, users, ships with some predefined users.
-  Chances are, you'll want to add entries for your own user accounts
-  based on one of the existing entries.  The policy sources were
-  installed into /etc/sedarwin/policy; make changes there, rebuild,
-  and install the binary policy file:
+  You should add entries for your own user accounts based on one
+  of the existing entries.  The policy sources were installed into
+  /etc/sedarwin/policy; make changes there, rebuild, and install
+  the binary policy file:
 
-    cd /etc/sedarwin/policy
+    $ cd /etc/sedarwin/policy
     [edit as root]
-    sudo make
-    sudo make install
+    $ sudo make
+    $ sudo make install
+
+  This step must be taken even if you make no changes to the policy
+  files.
+
+  NOTE: If a user logs in who is not listed in the users file, the
+  contents of /etc/sedarwin/failsafe_context will be used as the
+  context for the user.  If that file does not exist, the unlisted
+  user will be unable to login.
 
 
-Step 13: Reboot in Single User Mode (SEDarwin only)
+Step 14: Reboot in Single User Mode (SEDarwin only)
 
   At this point, you should now have a new Darwin kernel, support
   libraries, command line tools, and configuration files installed.  
   Reboot to single-user mode by holding down Command-S during the boot.  
   Check the file system and mount the root file system writable:
 
-    /sbin/fsck -y
-    /sbin/mount -uw /
+    $ /sbin/fsck -y
+    $ /sbin/mount -uw /
 
   Now set the label on various binaries so they can transition during
   system startup:
 
-    sudo /etc/sedarwin/sebsd-relabel.sh
+    $ sudo /etc/sedarwin/sebsd-relabel.sh
 
   Missing this step will result in the login window failing to start,
   login attempts failing, or the entire system not working if enforcing
@@ -249,7 +278,7 @@
     setfmac: traversing /usr/local/bin/*: No such file or directory
 
 
-Step 14: Reboot 
+Step 15: Reboot 
 
   A reboot is required in order for the extended attributes to be
   recognized by the system.
@@ -258,8 +287,9 @@
   'reboot' from the console.  Otherwise, restart the machine normally.
 
 
-Step 15: Verify System Functionality
+Step 16: Verify System Functionality
 
+  When you log in to the system
   After booting and logging into the system, verify that you have booted
   to the correct kernel by running 'uname -a'.
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list