SeBSD questions

Robert Watson rwatson at
Tue Jun 28 12:40:16 GMT 2005

On Fri, 24 Jun 2005, outback dingo wrote:

> I know mailing you directly probably isnt the easiest way to get an 
> answer but i thought you would be the best source for the question. 
> Great work on the TrustedBSD/SeBSD work. Ive got some minor questions 
> though. I know that portions of it are going into the 6.0 tree, some are 
> in the 5.0 tree. So what differentiates SeBSD from FreeBSD 6.0 ? Can one 
> take a FreeBSD 6.0 system and remopile the SeBSD cvs tree on it to 
> migrate it to a SeBSD tree? I read the docs and installed the SeBSD iso 
> which is based on a 5.X series branch. So Im puzzled about the 2 
> branches. it the current SeBSD cvs tree just a FreeBSD 6.0 Tree with the 
> SeBSD enhancements? or is it still a branch of 5.X. I guess the simplest 
> question would be to ask this. How does one go from FreeBSD 5.4, to 
> SeBSD-Current. I read something about Volume Labels also. SO I question 
> does SeBSD always require to be installed from its own CD. Or can one 
> update a 6.0 Current tree, and come out with a 6.0 Current SeBSD? Thanks 
> in Advance.

Just catching up with your mail from over the weekend, sorry things are a 
bit out of order.

Not sure if you saw my message in the last two days about the various bits 
of work going on, but the SEBSD code is primarily differentiated from 
FreeBSD in the following ways:

- There are enhancements to the MAC Framework to allow SEBSD to control
   more aspects of system operation than our other policy modules did.
   For example, breaking down super-user privilege into a set of specific

- There is the addition of the SEBSD kernel module itself, which is a
   wrapper around NSA's FLASK/TE implementation extracted from SELinux.

- There are modifications to user space to support TE transitions at
   login, etc.

- There's an adaptation of SELinux's "sample" TE policy for FreeBSD.

Many of the changes required for the SEBSD module in the MAC Framework 
have been merged to FreeBSD 6.x, but not quite all of them.  I'm currently 
looking at the remaining changes to decide which are appropriate for merge 
at this time.  Our goal is eventually for SEBSD to be an installable 
module and package on the base FreeBSD install, but we're not quite there 

The easiest way to get to SEBSD is to install the ISO.  Once 6.0 is out 
the door, my hope is that we will be able to provide an "upgrade" package 
to get from 6.0 to SEBSD-6.0 using either binary or source code parts. 
Getting source code upgrade working is relatively easy, it's just a 
question of syncing the SEBSD source code to the FreeBSD source code at 
the time of release.  A binary updater is harder, as it requires 
determining everything that is affected by our source code changes, plus 
appropriate bundling.  Doing source code or ISO install may be what we get 
by virtue of it being straight forward to do, leaving more resources 
available for merging changes and improving the SEBSD implementation.

Hope this helps,

Robert N M Watson
To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list