How to make/build/install ?

Hassan H. Monfared monfared at avairan.net
Mon Mar 8 11:14:07 GMT 2004 

Hi,
thanks much about your answer(your comments was great for us).
But still Iv'e some problems (in installing MAC & SEBSD ):
1) I get Error code 1 in "make buildworld" , every time stopes in different
files.
2) I used FreeBSD 5.1 Release and 5.2 RC2. those error accured again
3) can I have MAC & SEBSD features in one BSD OS kernel ?
4) you talked about " FreeBSD 5.1-SEBSD ", where can I find it ? is there
any ISO image ?
thanks for any Reply, specially Mr Rober Watson comments.

----- Original Message -----
From: "Robert Watson" <rwatson at FreeBSD.org>
To: "Hassan H. Monfared" <monfared at avairan.net>
Cc: <trustedbsd-discuss at trustedbsd.org>
Sent: Tuesday, February 24, 2004 9:05 AM
Subject: Re: How to make/build/install ?


>
> To follow up, the attached is the install documentation for the SEBSD
> CDROM we have previously distributed.  It includes a modified FreeBSD
> sysinstall, but following the installation procedure from the first boot
> from hard disk should apply to your environment.  I'll look at getting an
> ISO image online sometime soon, which should make it a lot easier to
> install.
>
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> robert at fledge.watson.org      Senior Research Scientist, McAfee Research
>
>
>
> Instructions for installing Security-Enhanced BSD
>
> SEBSD ships as a kernel loadable module that loads into a FreeBSD 5.1
> kernel supporting the TrustedBSD MAC framework
> (http://www.trustedbsd.org/).  The SEBSD installation CD contains a
> modified FreeBSD 5.1 distribution and a MAC kernel.  The installation
> process installs the FreeBSD operating system, including full source
> code and MAC-aware programs.
>
> These instructions assume some familiarity with the FreeBSD operating
> system installation, boot loader, kernel configuration, etc.  The
> sysinstall installation application used by SEBSD is nearly identical
> to the one used by the FreeBSD project.  A custom release was built to
> install the SEBSD policy source files and to build a kernel with
> TrustedBSD MAC Framework support.  For more detailed information on
> the FreeBSD operating system or the installation process, refer to the
> FreeBSD handbook available at the project website:
http://www.freebsd.org/.
>
> 1.  Boot the FreeBSD 5.1-SEBSD installation CD; this CD will install
>     the complete operating system, including kernels, user
>     applications, and complete source code.  A series of menus will
>     prompt the user how to proceed.
>
> a.  At the main menu, select an installation method,
>     typically, the standard installation is adequate.  The
>     remainder of these instructions assume the standard
>     installation option was selected.
>
> b.  The next menu displays the disk partition manager.  As
>     long as the installation machine will be dedicated to
>     SEBSD, allow the partition manager to use the entire disk
>     by selecting 'A'.  Select 'Q' to exit the partition
>     manager.  The installation program may print a warning
>     that this creates a dedicated machine.  It will proceed to
>     ask which boot manager to install; select 'BootMgr' to
>     install the normal FreeBSD boot manager on this hard disk.
>
> c.  The next menu will label the disk to create swap space and
>     individual file systems.  Selecting 'A' will use the
>     default values.  Select 'Q' to proceed to the next menu.
>
> d.  The next menu selects the distributions to install.  The
>     'Developer' option is recommended.  X Window support is
>     not included on this installation CD, and may be installed
>     later.  Likewise, the optional ports collection is not
>     include on the SEBSD installation CD.
>
> e.  On the next screen, Select CD/DVD from the installation
>     media menu.
>
> f.  Confirm installation.  WARNING: With the configuration
>     recommended in these instructions, all existing data on
>     the hard disk will be destroyed!
>
> g.  SEBSD will be installed on the machine.  Once complete,
>     the installation program will ask a series of questions to
>     help configure the new system.  Answer these questions as
>     appropriate.
>
> 2.  Reboot the system when prompted.  By default, the system will boot
>     the MAC kernel and load the SEBSD security module (with the
>     default policy).  The file systems have not yet been labeled, so
>     many warnings will be printed to the system console.  If it is
>     necessary to boot the generic FreeBSD kernel (without the MAC
>     framework), comment out the following lines in /boot/loader.conf:
> kernel="MAC"
> sebsd_load="YES"
>     Alternatively, the kernel and modules to load may be selected from
>     the FreeBSD boot loader.  Refer to the FreeBSD handbook for more
>     information on the boot loader.
>
> 4. Inspect the SEBSD policy.  The system comes pre-installed with a
>    sample policy, but local changes might be required.  The policy
>    source is located in /etc/security/sebsd/policy and the compiled
>    (binary) version is installed in /etc/security/sebsd/policy.16 by
>    default.  Only the binary version is loaded by the SEBSD module at
>    boot time.  An alternate location for the binary policy file may be
>    specified at the boot loader or in /boot/loader.conf.
>
>    Since SEBSD uses the same policy language as SELinux, the SELinux
>    report titled, "Configuring the SELinux Policy", (available at the
>    SELinux project web site: http://www.nsa.gov/selinux/) can provide
>    additional information.  If you make changes to the policy source,
>    you must re-install the modified binary policy:
>
> cd /etc/security/sebsd/policy && make install
>
>    If changes were made to the policy, the modified version must be
>    loaded into the kernel.  The /sbin/sebsd_loadpolicy program can be
>    used instead of a reboot:
>
> /sbin/sebsd_loadpolicy /etc/security/sebsd/policy.16
>
> 5. Label the file system.  By default, extended attribute support was
>    enabled during the install, but the individual files were not
>    labeled. To label all file systems, login as root and run the
>    following command:
>
> cd /etc/security/sebsd/policy && make relabel
>
> 6.  Reboot the machine, so that applications can use the file labels
>     and will be started in the correct domains.
>
> At this point, the machine will be running SEBSD with the sample
> policy. The sample policy is only an example and must be customized.
> Furthermore, the sample policy is not complete, so the system will
> print some access control warnings.  By default, the system is
> configured in the development mode; in this mode, access control
> failures are logged but not enforced.  To toggle between enforcing
> mode and development mode, use the security.mac.sebsd.enforcing sysctl
> as follows:
>     To enable: sysctl security.mac.sebsd.enforcing=1
>     To disable: sysctl security.mac.sebsd.enforcing=0
>
> Note that with the sample policy, only root running in the sysadm_r
> role is permitted to toggle the enforcement state.
>
> If you would like the machine to default to enforcing mode at boot
> time, you may specify a default value for this sysctl in
> /etc/sysctl.conf.  Uncomment the following line at the end of the file:
> security.mac.sebsd.enforcing=1
>
>


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list