PERFORCE change 46207 for review

Andrew Reisse areisse at
Fri Jan 30 18:31:41 GMT 2004

Change 46207 by areisse at areisse_ibook on 2004/01/30 10:30:40

	Document build procedure for init and bootloader, and configuring
	the bootloader to load the sebsd policy.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/bootstrap_instructions.txt#24 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/bootstrap_instructions.txt#24 (text+ko) ====

@@ -162,6 +162,30 @@
     make ; sudo make install
     cd ..
+Step 9.1: Build and install modified MiG program
+    cd apsl/bootstrap_cmds/migcom.tproj
+    make ; sudo make install
+    cd ../../..
+  This mig program is compatible with old kernels as well, as long as the
+  new features are not used.
+Step 9.2: Build modified mach_init
+    cd apsl/system_cmds/mach_init.tproj
+    make ; sudo make install
+    cd ../../..
+Step 9.3: Build modified bootloader
+    The modified bootloader is necessary to read the security policy before
+    the root filesystem is available. It might work with other kernels as
+    well. 
+    BEFORE installing this bootloader, make sure you have a working backup
+    partition (that boots) on the same machine.
+    cd apsl/BootX
+    chmod u+w bootx.tproj/bootinfo.hdr
+    make
+    sudo cp bootx.bootinfo /System/Library/CoreServices/BootX
 Step 10: Build, Install wslogin and WindowServer wrapper
   In order to allow users to select roles during GUI login, you must
@@ -190,22 +214,16 @@
 Step 11: Build SEDarwin Sample Policy
-  We provide a minimal sample policy; due to current limitations in loading the
-  policy at boot-time, we link the sample policy directly into the Darwin kernel
-  (yes, this is just temporary!).  When the policy is built, you end up with
-  a policy.h file that will get copied into the XNU tree for the kernel build.
   Our sample policy file ships with three users: root, andrew, and rwatson.
   Chances are, you'll want to add a line for your own user based on one of
   those lines.
     cd policy
-    make ; make install
+    make
+    sudo cp policy.16 /
+    sudo nvram load_sebsd_policy=policy.16
     cd ..
-  Until we have this fixed, remember that when you change the policy, you need
-  to re-install and remake the XNU kernel.
 Step 12: Build XNU
   NOTE: If you skipped the long and tedious elements of Step 2 above,
@@ -306,10 +324,10 @@
     /sbin/fsck -y
     /sbin/mount -uw /
-  Now set the label on the WindowServer binary so that it can transition
-  during login:
+  Now set the label on various binaries so they can transition
+  during system startup:
-    setfmac sebsd/system_u:object_r:login_exec_t \
-      /System/Library/CoreServices/RealWindowServer
+    cd policy; make relabel
-  Missing this step will result in login attempts failing.
+  Missing this step will result in login attempts failing, or 
+  the entire system not working if enforcing mode is enabled.
To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list