CAP and MAC usage docs
Robert Watson
rwatson at FreeBSD.org
Sat Jan 12 02:30:51 GMT 2002
On Fri, 11 Jan 2002, Ilmar S. Habibulin wrote:
> I'm using trustedbsd_mac branch on my PC. The latest kernel (2-3 days old)
> prevents me from making network connections and write files. So i have to
> switch of enforce_fs, enforce_socket and enforce_network. (Maybe i sould
> do `sysctl kern.security.mac.te.enabled=0` instead? ;-)
Yes, probably a good idea.
> I'm reading "A doman and Type Enforcement UNIX Prototype" paper from
> USENIX security symposium 1995. I figured out, that there should be some
> way to configure TE model at boot time, but there is no one right now
> except something hardcoded in kernel. I think TE is not so easy to
> implement mode, so maybe leave it default off?
There will eventually be a way to specify this policy (probably soon), but
it should be disabled by default given the degree of not-working-ness to
it. I'll commit that shortly.
You may also want to look at the selinux papers off of
www.nsa.gov/selinux, as the TE implementation we're currently working on
looks a lot more like that than DTE (since we'll use explicit labeling
rather than path-implicit labeling).
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org NAI Labs, Safeport Network Services
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list