CAP and MAC usage docs

[Robert Watson]

On Fri, 11 Jan 2002, Ilmar S. Habibulin wrote:

> I'm using trustedbsd_mac branch on my PC. The latest kernel (2-3 days old)
> prevents me from making network connections and write files. So i have to
> switch of enforce_fs, enforce_socket and enforce_network. (Maybe i sould
> do `sysctl kern.security.mac.te.enabled=0` instead? ;-)

Yes, probably a good idea.

> I'm reading "A doman and Type Enforcement UNIX Prototype" paper from
> USENIX security symposium 1995. I figured out, that there should be some
> way to configure TE model at boot time, but there is no one right now
> except something hardcoded in kernel.  I think TE is not so easy to
> implement mode, so maybe leave it default off?

There will eventually be a way to specify this policy (probably soon), but
it should be disabled by default given the degree of not-working-ness to
it.  I'll commit that shortly.

You may also want to look at the selinux papers off of
www.nsa.gov/selinux, as the TE implementation we're currently working on
looks a lot more like that than DTE (since we'll use explicit labeling
rather than path-implicit labeling).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message