search for: mac_biba

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just try to understand the concepts and possiblities behind the mac framework. After days of puzzling I found one puzzling behaviour and still have one immediate question (this is on 5-stable) - - when I enable mac_biba, set root to biba/equal (or any value, actually), and do a setfmac -R biba/equal / I expect biba to be activated without any change to the system behaviour. This seems to be correct, safe for one detail: the system does not shutdown cleanly: it syncs, but never gets to power down or reboot and the...

...iba/low(low-low) credentials. 3) Defacements should be prevented. At least processes spawned from Apache should not be able to modify any files in the system, except at designated directories in case PHP scripts or CGI programs need to write something to the disk. This is naturally done with MAC_BIBA. We launch Apache with biba/low(low-low) credentials. 4) FTP access for site mainteinance. We assign each user an account, which will be used to update their files. The ftp accounts have a low integrity credential assigned, but anyway higher than biba/low so that files uploaded by users ar...

...e check list archives and read a handbook, but I didn't find solution to my problem and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems and I wanted to test MAC features. I'm also new to MAC, so perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in loader.conf) without any configuration, it seems to block networking: jarek@skorpion jarek> ping 192.168.65.100 PING 192.168.65.100 (192.168.65.100): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ^C --- 192.168.6...

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_biba, we defin...

...uot; >> file_biba_127.txt $ setpmac biba/low echo "low" >> file_biba_127.txt $ setpmac biba/low more file_biba_127.txt Message High 128 127 126 low All writes succeeded - event writing by process with biba/126 and biba/low to file with biba/127. Is it correct ? According to mac_biba(4): "A subject at a lower integrity level than an object may read the object, but not write to the object" 2) MLS As for Biba, I've created file with mls/127: $ echo "Message" > file_mls_127.txt $ setfmac mls/127 file_mls_127.txt $ getfmac file_mls_127.txt file_mls_...

...RANDOM_IP_ID options ACCEPT_FILTER_DATA #options ACCEPT_FILTER_HTTP options TCP_DROP_SYNFIN options DUMMYNET #options BRIDGE options QUOTA options _KPOSIX_PRIORITY_SCHEDULING options P1003_1B_SEMAPHORES #options MAC #options MAC_BIBA #options MAC_BSDEXTENDED #options MAC_DEBUG #options MAC_IFOFF #options MAC_LOMAC #options MAC_MLS #options MAC_NONE #options MAC_PARTITION #options MAC_SEEOTHERUIDS #options MAC_TEST options KBD_INSTALL_CDEV # install a CDEV entry in...