PERFORCE change 87616 for review
millert at FreeBSD.org
Thu Dec 1 22:04:07 GMT 2005
Change 87616 by millert at millert_g4tower on 2005/12/01 22:03:55
Attempt to update to reality after wslogin -> LoginWindow
plugin changes. apiabi.txt needs more work.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin7/docs/apiabi.txt#3 edit
.. //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#2 edit
==== //depot/projects/trustedbsd/sedarwin7/docs/apiabi.txt#3 (text+ko) ====
@@ -116,6 +116,9 @@
New System Controls - MAC Framework
@@ -362,13 +365,33 @@
Set the MAC label of the current process, then execute a command.
+ New Command Line Utilities - login contexts
+Show information about existing login contexts.
+Print login context related MAC labels.
+Change the MAC login context label.
New Command Line Utilities - SEDarwin
+Check a policy for correctness and convert to binary format.
+XXX - not yet supported.
+Run a shell with a new role.
Modifications to Existing System Services
==== //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#2 (text+ko) ====
@@ -2,9 +2,9 @@
-Step 1: Mac OS X Panther 10.3.3
+Step 1: Mac OS X Panther 10.3.8
- Install Mac OS X 10.3.3 using the directions found in system-setup.txt.
+ Install Mac OS X 10.3.8 using the directions found in system-setup.txt.
If working within the McAfee Research development environment, install
Perforce and configure the Perforce client using the directions found
@@ -54,7 +54,7 @@
BUILD_MODULES ?= sedarwin ipctrace mactest mac_mls mac_none mac_stub \
- INSTALL_MODULES ?= mac_mls
+ INSTALL_MODULES ?= sedarwin
If modules are built but not installed, you can install them later by
extracting the *.kext.tar tarfile from the module source directory
@@ -90,7 +90,7 @@
including kernel, libraries, program binaries, and policy modules, run
the following command from the root of the source tree:
+ $ make
Step 5: Prepare distribution directory
@@ -99,7 +99,7 @@
temporary distribution directory, run the following command from the top
level of the source tree:
- make install
+ $ make install
Step 6: Create system upgrade tarfile
@@ -108,14 +108,14 @@
binaries, run the following command from the top level of the source
- make dist
+ $ make dist
This will create a compressed tarfile from the temporary distribution
directory. The file will be called, "sedarwin.tgz" and it will be
created in the root of the source tree.
This tarfile can be used to install on the current machine, or any other
- appropriately updated 10.3.3 system. The following steps presume that
+ appropriately updated 10.3.8 system. The following steps presume that
you have copied the tar file to the target machine.
@@ -137,8 +137,8 @@
the older modules will be incompatible. Remove the appropriate KEXT
bundles from /System/Library/Extensions. For example:
- sudo rm -rf /System/Library/Extensions/sedarwin.kext
- sudo rm -rf /System/Library/Extensions/mac_test.kext
+ $ sudo rm -rf /System/Library/Extensions/sedarwin.kext
+ $ sudo rm -rf /System/Library/Extensions/mac_test.kext
Step 8: Backup files
@@ -153,36 +153,56 @@
Extract the distribution tarfile from the root of the target machine:
- cd /
- sudo gnutar xvzf sedarwin.tgz
+ $ cd /
+ $ sudo tar zxf sedarwin.tgz
Note, there may be some remaining issues with the way in which the boot
loader has been replaced. To be safe, it is best to run the bless
command to make certain the partition will still be bootable:
- sudo bless -folder /System/Library/CoreServices \
+ $ sudo bless -folder /System/Library/CoreServices \
Also note that if bless is being used to mark a partition that is
different from the current partition that the appropriate /Volume/<name>
path should be prepended each filename in the above command, and the
- -setBoot option should also be added.
+ "-setBoot" option should also be added.
+Step 10: Enable and Configure MAC.loginPlugin
+ The MAC.loginPlugin must be enabled. After a new install the maclogin
+ command must be run to prepare the system for using the MAC.loginPlugin:
+ $ sudo /usr/bin/maclogin
+ [follow instructions]
+ After this is performed, further invocations of the maclogin script
+ allow the MAC.loginPlugin to be enabled and disabled. SEDarwin requires
+ that the MAC.loginPlugin to be enabled:
+ $ sudo /usr/bin/maclogin enable
+ Copy /etc/MAClogin.conf.sample to /etc/MAClogin.conf:
+ $ sudo cp /etc/MAClogin.conf.sample /etc/MAClogin.conf
+ The default values are correct for SEDarwin.
-Step 10: Backup and Replace the WindowServer (SEDarwin only)
+Step 11: Update PAM configuration
- The distribution includes a shell script to replace Apple's Login Window
- application with a wrapper that modifies the login process. Run the
+ Add the following line:
- sudo /etc/sedarwin/install-windowserver.sh
+ session required pam_lctx.so
+ at the end of the /etc/pam.d/login and /etc/pam.d/sshd files.
-Step 11(a): Create Extended Attribute File (SEDarwin only)
+Step 12(a): Create Extended Attribute File (SEDarwin only)
The distribution includes a shell script that creates an extended
attribute backing file for the SEDarwin policy module. Run the script:
- sudo /etc/sedarwin/create-extattr.sh
+ $ sudo /etc/sedarwin/create-extattr.sh
This will allocate storage space for MAC labels on the root file system.
You may wish to run similar commands on other file systems, but it is
@@ -195,49 +215,58 @@
-Step 11(b): Create Extended Attribute File (MLS only)
+Step 12(b): Create Extended Attribute File (MLS only)
Run the following two commands to allocate storage space for MLS
labels on the root file system.
- sudo mkdir -p /.attribute/system
- sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls
+ $ sudo mkdir -p /.attribute/system
+ $ sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls
-Step 12: Configure Policy path (SEDarwin only)
+Step 13: Configure Policy path (SEDarwin only)
The system boot loader needs to know where the SEDarwin policy file is
located; at boot time, it reads the location from the system firmware.
- Set the location in the firmware with the following command:
+ Set the location in the firmware with the following commands:
- sudo nvram load_sebsd_policy=policy.16
+ $ sudo nvram load_sebsd_policy=policy.16
+ $ sudo nvram load_sebsd_migscs=sebsd_migscs
Our sample policy file, users, ships with some predefined users.
- Chances are, you'll want to add entries for your own user accounts
- based on one of the existing entries. The policy sources were
- installed into /etc/sedarwin/policy; make changes there, rebuild,
- and install the binary policy file:
+ You should add entries for your own user accounts based on one
+ of the existing entries. The policy sources were installed into
+ /etc/sedarwin/policy; make changes there, rebuild, and install
+ the binary policy file:
- cd /etc/sedarwin/policy
+ $ cd /etc/sedarwin/policy
[edit as root]
- sudo make
- sudo make install
+ $ sudo make
+ $ sudo make install
+ This step must be taken even if you make no changes to the policy
+ NOTE: If a user logs in who is not listed in the users file, the
+ contents of /etc/sedarwin/failsafe_context will be used as the
+ context for the user. If that file does not exist, the unlisted
+ user will be unable to login.
-Step 13: Reboot in Single User Mode (SEDarwin only)
+Step 14: Reboot in Single User Mode (SEDarwin only)
At this point, you should now have a new Darwin kernel, support
libraries, command line tools, and configuration files installed.
Reboot to single-user mode by holding down Command-S during the boot.
Check the file system and mount the root file system writable:
- /sbin/fsck -y
- /sbin/mount -uw /
+ $ /sbin/fsck -y
+ $ /sbin/mount -uw /
Now set the label on various binaries so they can transition during
- sudo /etc/sedarwin/sebsd-relabel.sh
+ $ sudo /etc/sedarwin/sebsd-relabel.sh
Missing this step will result in the login window failing to start,
login attempts failing, or the entire system not working if enforcing
@@ -249,7 +278,7 @@
setfmac: traversing /usr/local/bin/*: No such file or directory
-Step 14: Reboot
+Step 15: Reboot
A reboot is required in order for the extended attributes to be
recognized by the system.
@@ -258,8 +287,9 @@
'reboot' from the console. Otherwise, restart the machine normally.
-Step 15: Verify System Functionality
+Step 16: Verify System Functionality
+ When you log in to the system
After booting and logging into the system, verify that you have booted
to the correct kernel by running 'uname -a'.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs