search for: biba

...usermod nagios -L default" when it should obviously be "pw usermod nagios -L insecure". The same holds for the "www" user. 2- Section 15.14.6. The example script launches the commands "apachectl", and "/usr/local/ etc/rc.d/nagios.sh" with the label biba/10, but they should be launched with the label biba/10(10-10). I've defined the "default" login class with a label of "biba/high". I login at the machine as root, and... ----- # getpmac biba/high(low-high) # setpmac biba/low getpmac biba/low(low-high) # setpmac biba/lo...

FreeBSD 5.1-RELEASE Hi, I'm examining Biba and MLS MAC policies and something is not clear for me. Unless I'm doing something wrong, it seems policies are enforced only for reading, but not writing. 1) Biba I've created test file with biba/127 label: $ echo "Message" > file_biba_127.txt $ setfmac biba/127 file_biba_...

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and, worse, when none of the applications we are using are prepared to take advantage of it. So it should be...

...eck list archives and read a handbook, but I didn't find solution to my problem and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems and I wanted to test MAC features. I'm also new to MAC, so perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in loader.conf) without any configuration, it seems to block networking: jarek@skorpion jarek> ping 192.168.65.100 PING 192.168.65.100 (192.168.65.100): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ^C --- 192.168.6...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just try to understand the concepts and possiblities behind the mac framework. After days of puzzling I found one puzzling behaviour and still have one immediate question (this is on 5-stable) - - when I enable mac_biba, set root to biba/equal (or any value, actually), and do a setfmac -R biba/equal / I expect biba to be activated without any change to the system behaviour. This seems to be correct, safe for one detail: the system does not shutdown cleanly: it syncs, but never gets to power down or reboot and the...

...time to change that! :-) Currently trying to set up a service jail, according to instructions in the handbook[1]. The problem I'm facing is that nullfs does not seem to support multilabeled filesystems, or am i missing something? ls -lZ /usr/js/testjail/var/run/test -rw-r--r-- 1 root wheel biba/equal 0 Feb 6 17:15 /usr/js/testjail/var/run/test Nullfs-mounting it inside the jail: ls -lZ /usr/j/testjail/s/var/run/test -rw-r--r-- 1 root wheel biba/high 0 Feb 6 17:15 /usr/j/testjail/s/var/run/test Currently, it looks like this: /usr/j/mroot on /usr/j/testjail (nullfs, local, nosuid, re...

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_biba, we defin...

...process tries to write to a file with the higher integrity label. And he succeeds. Please find my test setup including the test program below. I will be grateful for any advice you may have. I am using FreeBSD 6.1. All MAC stuff enabled, the corresponding module loaded, and other models evaluated (Biba, MLS, combo). Thanks, Kirill === TEST PROGRAM === #include <stdlib.h> #include <stdio.h> #include <sys/types.h> #include <sys/mac.h> void printfilelabel(const char * fname) { mac_t filelabel; char *buf; if ( 0 != mac_prepare_file_label( &filelabel ) ) { fpr...

Dear All, I am a student enrolled google summer code 2007. My job is to write security regression testsuites for FreeBSD under the guidance of my mentor Dr. Robert Watson. Under his encourage, I write following request for comments RFC :-) ////////////////////////////////////////////////////////////// What I plan to do: 1) to test the stability of Mandatory Access Control and Audit