PERFORCE change 91434 for review

Thu Feb 9 10:11:06 PST 2006

http://perforce.freebsd.org/chv.cgi?CH=91434

Change 91434 by deker at deker_build1.columbia.sparta.com on 2006/02/09 18:10:49

	Updates to build instructions:
	
	- McAfee -> SPARTA
	- updated to reflect policy module name change
	- updated PAM config info
	- misc small changes

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/docs/build-instructions.txt#3 (text+ko) ====

@@ -6,7 +6,7 @@
 
   Install Mac OS X 10.3.8 using the directions found in system-setup.txt.
 
-  If working within the McAfee Research development environment, install
+  If working within the SPARTA ISSO development environment, install
   Perforce and configure the Perforce client using the directions found
   in perforce-client.txt.
 
@@ -17,7 +17,7 @@
 Step 2: Check out source tree
 
   In this step, check the source tree out of Perforce, or untar the
-  distribution tarball.  If working within the McAfee Research development
+  distribution tarball.  If working within the SPARTA ISSO development
   environment, check out the source code using the directions found in
   perforce-checkout.txt.
 
@@ -137,7 +137,7 @@
   the older modules will be incompatible.  Remove the appropriate KEXT
   bundles from /System/Library/Extensions.  For example:
 
-    $ sudo rm -rf /System/Library/Extensions/sedarwin.kext
+    $ sudo rm -rf /System/Library/Extensions/mac_sedarwin.kext
     $ sudo rm -rf /System/Library/Extensions/mac_test.kext
 
 
@@ -191,13 +191,13 @@
 
 Step 11: Update PAM configuration
 
-  Add the following line:
+  Copy the SEDarwin versions of the sshd and login pam configuration files
+  and modify them as necessary for your site.
 
-    session	required	pam_lctx.so
+  $ sudo cp /etc/pam.d/sshd.sedarwin /etc/pam.d/sshd
+  $ sudo cp /etc/pam.d/login.sedarwin /etc/pam.d/login
 
-  at the end of the /etc/pam.d/login and /etc/pam.d/sshd files.
-
-Step 12(a): Create Extended Attribute File (SEDarwin only)
+Step 12: Create Extended Attribute File
 
   The distribution includes a shell script that creates an extended
   attribute backing file for the SEDarwin policy module.  Run the script:
@@ -215,15 +215,6 @@
         256 /Volumes/Spare/.attribute/system/sebsd
 
 
-Step 12(b): Create Extended Attribute File (MLS only)
-
-  Run the following two commands to allocate storage space for MLS
-  labels on the root file system.
-
-    $ sudo mkdir -p /.attribute/system
-    $ sudo extattrctl initattr -p / 112 /.attribute/system/mac_mls
-
-
 Step 13: Configure Policy path (SEDarwin only)
 
   The system boot loader needs to know where the SEDarwin policy file is
@@ -253,20 +244,20 @@
   user will be unable to login.
 
 
-Step 14: Reboot in Single User Mode (SEDarwin only)
+Step 14: Reboot in Single User Mode
 
   At this point, you should now have a new Darwin kernel, support
   libraries, command line tools, and configuration files installed.  
   Reboot to single-user mode by holding down Command-S during the boot.  
   Check the file system and mount the root file system writable:
 
-    $ /sbin/fsck -y
-    $ /sbin/mount -uw /
+    # /sbin/fsck -y
+    # /sbin/mount -uw /
 
   Now set the label on various binaries so they can transition during
   system startup:
 
-    $ sudo /etc/sedarwin/sebsd-relabel.sh
+    # /etc/sedarwin/sebsd-relabel.sh
 
   Missing this step will result in the login window failing to start,
   login attempts failing, or the entire system not working if enforcing
@@ -289,12 +280,16 @@
 
 Step 16: Verify System Functionality
 
-  When you log in to the system
-  After booting and logging into the system, verify that you have booted
-  to the correct kernel by running 'uname -a'.
+  After rebooting, log in on the graphical console.  After you have
+  entered your password you will be presented with an additional
+  menu where you may select from your available intial security
+  contexts.  If your username is not listed in the
+  /etc/sedarwin/policy/users file, the security context listed in
+  /etc/sedarwin/failsafe_context will be used.
+
+  After you have logged in, you can run 'kextstat' to verify that
+  the selected security modules have been loaded:
 
-  You can run 'kextstat' to verify that the selected security modules
-  have been loaded:
     $ kextstat |head
     Index Refs Address    Size       Wired      Name (Version) <Linked Against>
 	1    1 0x5ec9000  0x19000    0x18000    security.sedarwin (*)
