On Fri, 15 Feb 2008, Borja Marcos wrote:
> I'm trying to set up a DNS server under FreeBSD using the mac_biba
policy. I
> use to run bind in low-integrity mode, so that neither it or any of its
> descendants can modify configuration files, etc.
>
> With previous FreeBSD versions there was a handy sysctl setting,
> "security.mac.enforce_socket" that allowed to bypass the MAC
restrictions
> for a socket. I think it's not a bad idea. After all machines can
> communicate with untrusted nodes over a network. In my opinion, enforcing
> the mac_biba restrictions so that a network communication with a local
> process behaves _differently_ than a network communication with a different
> node is a bad idea.
>
> Any reason why this setting has been eliminated? I think that the best
> solution is to keep it and let the administrator decide.
Borja,
The interface was removed on the basis that it was a debugging setting, and in
some cases can lead to the incorrect behavior of policies (for example, lomac,
although not biba). The interface should actually be implemented within the
policy so that policies still receive the entry points, but decide to ignore
them for policy reasons, rather than preventing the entry points from being
made to the policy. However, we can add them to individual policies,
especially if they are useful. Could I ask you to file a PR for this issue,
and forward me the PR receipt? I probably won't get to this for a week or
two, but would be happy to investigate making the change to reintroduce object
class controls of the same sort in biba (and the other policies).
Just to be clear: the problem you're running into is that loopback network
connections are controlled by biba, preventing certain loopback operations?
Robert N M Watson
Computer Laboratory
University of Cambridge