rwatson at FreeBSD.org
Tue Jun 28 12:40:16 GMT 2005
On Fri, 24 Jun 2005, outback dingo wrote:
> I know mailing you directly probably isnt the easiest way to get an
> answer but i thought you would be the best source for the question.
> Great work on the TrustedBSD/SeBSD work. Ive got some minor questions
> though. I know that portions of it are going into the 6.0 tree, some are
> in the 5.0 tree. So what differentiates SeBSD from FreeBSD 6.0 ? Can one
> take a FreeBSD 6.0 system and remopile the SeBSD cvs tree on it to
> migrate it to a SeBSD tree? I read the docs and installed the SeBSD iso
> which is based on a 5.X series branch. So Im puzzled about the 2
> branches. it the current SeBSD cvs tree just a FreeBSD 6.0 Tree with the
> SeBSD enhancements? or is it still a branch of 5.X. I guess the simplest
> question would be to ask this. How does one go from FreeBSD 5.4, to
> SeBSD-Current. I read something about Volume Labels also. SO I question
> does SeBSD always require to be installed from its own CD. Or can one
> update a 6.0 Current tree, and come out with a 6.0 Current SeBSD? Thanks
> in Advance.
Just catching up with your mail from over the weekend, sorry things are a
bit out of order.
Not sure if you saw my message in the last two days about the various bits
of work going on, but the SEBSD code is primarily differentiated from
FreeBSD in the following ways:
- There are enhancements to the MAC Framework to allow SEBSD to control
more aspects of system operation than our other policy modules did.
For example, breaking down super-user privilege into a set of specific
- There is the addition of the SEBSD kernel module itself, which is a
wrapper around NSA's FLASK/TE implementation extracted from SELinux.
- There are modifications to user space to support TE transitions at
- There's an adaptation of SELinux's "sample" TE policy for FreeBSD.
Many of the changes required for the SEBSD module in the MAC Framework
have been merged to FreeBSD 6.x, but not quite all of them. I'm currently
looking at the remaining changes to decide which are appropriate for merge
at this time. Our goal is eventually for SEBSD to be an installable
module and package on the base FreeBSD install, but we're not quite there
The easiest way to get to SEBSD is to install the ISO. Once 6.0 is out
the door, my hope is that we will be able to provide an "upgrade" package
to get from 6.0 to SEBSD-6.0 using either binary or source code parts.
Getting source code upgrade working is relatively easy, it's just a
question of syncing the SEBSD source code to the FreeBSD source code at
the time of release. A binary updater is harder, as it requires
determining everything that is affected by our source code changes, plus
appropriate bundling. Doing source code or ISO install may be what we get
by virtue of it being straight forward to do, leaving more resources
available for merging changes and improving the SEBSD implementation.
Hope this helps,
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss