MAC branch status

Sun Jul 7 18:42:15 GMT 2002

I've had a couple of questions about status, since the mailing lists have
been quiet for a bit.

The branch currently receiving the most development focus is the
trustedbsd_mac branch.  Over the past couple of months, we've largely
worked to improve the extensibility and flexibility of the TrustedBSD MAC
framework, adding the ability to have dynamically loaded kernel modules
allocate label data associated with them.  This allows a new policy to be
instantiated and proceed to introduce label data for system objects as it
runs, allowing the kernel policy to be adapted at run-time.  Current
activities largely fall into the category of "honing" -- we're completing
the adaption of the policies to the new environment, cleaning up
interfaces, chasing bugs, and working to make sure that the set of entry
points is sufficient.  We're also actively working on getting a running
prototype of the SELinux flask/te/... implementation into the tree. 

Currently the trustedbsd_mac tree is basically the head of the FreeBSD
5.0-CURRENT tree, except lagged about a week as we're waiting for recent
threading-related changes to settle down.  Once that settling has occured,
we will begin to merge the MAC framework into the main tree.  This will
permit people running with the base OS to enable and work with the MAC
framework. 

Once that's done, our focus will move to putting more work into the
userland API for managing object labels, communicating with policies, etc. 
The APIs that will be committed to the main tree in a couple of weeks will
not be the final APIs, although they are sufficient for some basic
exploration of the issues and to perform moderate management of labels in
applications for the basic MAC policies we are shipping.

For those interested in looking at the current work, cvsup remains to best
way to retrieve the source tree as it stands.  Instructions and a sample
supfile are available on www.TrustedBSD.org.  'MACREADME' in the root of
the source repository lists some currently known issues, including a list
of kernel services not currently adapted to use MAC (such as netsmb/smbfs
and some non-IP protocols).  The system actually appears to be quite
stable (about as stable as the FreeBSD 5.0-CURRENT date it is derived
from). 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message