Errors in the FreeBSD handbook (MAC framework)
Tom Rhodes
trhodes at FreeBSD.org
Tue May 9 22:03:50 UTC 2006
On Tue, 9 May 2006 18:22:05 +0200
Borja Marcos <borjamar at sarenet.es> wrote:
> (crossposted to freebsd-security just in case someone has to slap me) :)
>
>
> Hello,
>
> I'm doing some work with the MAC subsystem in FreeBSD, and I have
> spotted some errors in the MAC documentation in the handbook.
>
> 1- Section 15.14.4. Error in the example dropping users "nagios" and
> "www" into the insecure class. The example uses the command "pw
> usermod nagios -L default" when it should obviously be "pw usermod
> nagios -L insecure". The same holds for the "www" user.
>
> 2- Section 15.14.6.
>
> The example script launches the commands "apachectl", and "/usr/local/
> etc/rc.d/nagios.sh" with the label biba/10, but they should be
> launched with the label biba/10(10-10).
>
> I've defined the "default" login class with a label of "biba/high". I
> login at the machine as root, and...
>
> -----
> # getpmac
> biba/high(low-high)
> # setpmac biba/low getpmac
> biba/low(low-high)
> # setpmac biba/low setpmac biba/high getpmac
> biba/high(low-high)
>
>
> So, if I launch a process with a "setpmac biba/low", it actually
> inherits a label of "biba/low(high-low)", being able to recover its
> biba/high setting, something that wouldn't be desirable. However,
> launching it with a label of "biba/low(low-low)" effectively
> downgrades the process forever
>
> # setpmac "biba/low(low-low)" getpmac
> biba/low(low-low)
> # setpmac "biba/low(low-low)" setpmac biba/high getpmac
> biba/high: Operation not permitted
Yea, I'm still in the process of doing updates to this chapter,
sorry for the current issues. :(
--
Tom Rhodes
More information about the freebsd-security
mailing list