SEBSD policy version and userland support

Robert Watson rwatson at FreeBSD.org
Mon Oct 18 11:59:49 GMT 2004 

On Sun, 17 Oct 2004, Joshua Brindle wrote:

> I have some questions about the SEBSD policy and userland. I've been
> using SELinux for quite a while and just started playing with SEBSD. The
> first thing I noticed was that the policy version claims to be version
> 16 but there are no conditionals. Are the policy versions in SEBSD not
> aligned with policy versions in SELinux? In that case are the binaries
> not longer portable?

The policy versions have diverged, but my hope is to get them
resynchronized in the near future.  We bumped the policy version in the
TrustedBSD branch due to an incompatibility resulting from FreeBSD having
more capabilities than could be expressed in the 32-bit method bitmask, so
we expanded to a 64-bit bitmask.  In retrospect, it would probably be
better to simply break the capability mask into two different masks of
32-bits to keep binary compatbility (but possibly break some semantics). 
So the basic answer is: we're running the prior version (15, presumably) 
with local changes for the capability parts. 

> Looking at the SEBSD module, it seems like the current security server
> is simply dropped in from Linux, with some #defines in linux-compat.h to
> fix obvious kernel differences. If thats the case it shouldn't be
> difficult at all to replace the current BSD security server with the
> Linux one which supports conditionals. 

Yes.  We hope to re-port the SELinux security server sometime in the next
couple of months with the updated version.  The MAC Framework "SEBSD"
wrapper parts appear to keep a pretty decent separation between the
FLASK/TE policy parts and the OS-specific parts.

> Further, I am now employed at Tresys Technology doing work on SELinux
> policy modules and other projects. I was hoping this work could be
> (easily) directly applied to SEBSD and used with few changes but it
> seems like the SEBSD userland is in a very different state than SELinux.
> SELinux recently made a change to the parser to move almost all the
> reading/writing functions into libsepol which made all this
> significantly easier. Are there plans to do this with the BSD policy
> parser as well? 

Our hope is, subject to resources, is to remain as in sync as we can with
the NSA "vendor" code.  One of our current areas of work is to come up
with the necessary user space abstractions to support SEBSD as just one of
several supported mandatory policies by permitting policies to provide
pluggable shared libraries into critical user space "base system"
applications that will remain policy-agnostic, such as the login
mechanisms, cron, etc.

> Here is the specification for the module work
> http://www.tresys.com/Downloads/selinux_dev/Policy_Modules_Specification.pdf

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Principal Research Scientist, McAfee Research


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list