similar to: mac_bsdextended log information

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and,

Can someone clear something up for me? [[[ # For apache to read user files, the ruleadd must give # it permissions by default. #### ${CMD} add subject uid 80 object not uid 80 mode rxws; ${CMD} add subject gid 80 object not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the

I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework?

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

I woke up to a frozen box this morning - it froze up a few more times before I got a handle on it. Basically, the box runs idle but refuses to do disk IO, or does it -very- slowly. Top shows processes stuck in 'ffsvget', 'inode', and 'vlruwk' state. I can get the box responsive again by setting sysctl kern.maxvnods=100000. It starts up with kern.maxnodes=36079. I

I think I've read somewhere about panic during early root mount, fsck etc.. Perhaps this might be related: Full dmesg: http://people.freebsd.org/~ariff/misc/dmesg.boot.amd64 [....] acquiring duplicate lock of same type: "vnode interlock" 1st vnode interlock @ kern/vfs_vnops.c:791 2nd vnode interlock @ kern/vfs_subr.c:2018 KDB: stack backtrace: witness_checkorder() at

On 9/17/18 3:39 PM, Nir Soffer wrote: >> +#define IS_ALIGNED(size, align) ({ \ >> + assert (is_power_of_2 ((align))); \ >> + !((size) & ((align) - 1)); \ >> +}) >> > > But this version will happily accept singed int, and I think this code > behavior with signed int is undefined. Well, sort of. Bit shifts

Hi, my FreeBSD-9/stable machine (FreeBSD freebsd-tower.goebo.site 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #2 r241044M: Sat Sep 29 12:52:01 CEST 2012 lbo@freebsd-tower.goebo.site:/usr/obj/usr/src/sys/GENERIC i386) crashes reproducibly when rsync-ing files to an NFSv4 share on the FreeBSD machine. The crash makes the system reboot. The crash creates files in /var/crash which may be obtained

On 9/17/18 4:41 PM, Nir Soffer wrote: > The FreeBSD version: > > #define IS_ALIGNED <http://fxr.watson.org/fxr/ident?i=IS_ALIGNED>(n > <http://fxr.watson.org/fxr/ident?i=n>,align) (!((uint32_t)(n > <http://fxr.watson.org/fxr/ident?i=n>) & (align - 1))) > > http://fxr.watson.org/fxr/source/contrib/ncsw/inc/ncsw_ext.h#L182 Which truncates to 32

Hello, I'm trying to investigate and solve some postgres latency spikes that I'm seeing as a result of some behaviour in the syncer. This is with FreeBSD 8.2 (with some local modifications and backports, r231160 in particular). The system has an LSI 9261-8i RAID controller (backed by mfi(4)) and the database and WALs are on separate volumes, a RAID 6 and a RAID 1 respectively. It has

>>Dear Users, >> >>I use KVM with libvirt 9.0.0. The host and guest OS-es are also AGL needlefish images. I am currently trying to virtualize a CAN driver and provide virtual machines access to the physical CAN channels. >> >>I started with the virtual network handling as CAN interface is a network interface, I tried to find analogies, solutions like

On Feb 14, 2015, at 2:43 PM, J Neethling <jneethling at webmail.co.za> wrote: > 67611 blazer_usb CALL write(0x2,0x7fffffffd2a0,0xc) > 67611 blazer_usb GIO fd 2 wrote 12 bytes > " 0.280697 " > 67611 blazer_usb RET write 12/0xc > 67611 blazer_usb CALL write(0x2,0x7fffffffd2a0,0x35) > 67611 blazer_usb GIO fd 2 wrote 53 bytes >

ZFS works really stable on FreeBSD, but I''m biggest problem is how to control ZFS memory usage. I''ve no idea how to leash that beast. FreeBSD has a backpresure mechanism. I can register my function so it will be called when there are memory problems, which I do. I using it for ARC layer. Even with this in place under heavy load the kernel panics, because memory with KM_SLEEP

Working on the Dell R420 today, got most of it working, even the broadcom ethernet cards! However, I get the following when I reboot the system: Syncing disks, vnodes remaining...4 Sleeping thread (tid 100107, pid 9) owns a non-sleepable lock KDB: stack backtrace of thread 100107: sched_switch() at sched_switch+0x19f mi_switch() at mi_switch+0x208 sleepq_switch() at sleepq_switch+0xfc

i need to get inodeno on ZFS and i am not able to find how to find it in kernel at vfs layer. i have vnode pointer and i am doing VTOZ to get znode but printing z_id from znode pointer gives me deadbeef(unitialized) , can somebody point me how to get that? i looked at zfs_getattr code and it does similar thing which i am doing but its able to get me inode no in getattribute structure(node

Two machines (NFS Server: running ZFS / Client: disk-less), both are running FreeBSD r253506. The NFS client starts to deadlock processes within a few hours. It usually gets worse from there on. The processes stay in "D" state. I haven't been able to reproduce it when I want it to happen. I only have to wait a few hours until the deadlocks occur when traffic to the client machine

Hi all, I'm a new user trying to get a Proline UPS I1000 UPS to work with freenas 9.3 over USB. When running upsdrvctl I get a permission denied error. Required debug info: OS name and version, # uname -a FreeBSD freenas.local 9.3-RELEASE-p5 FreeBSD 9.3-RELEASE-p5 #2 r275790+f84e770: Tue Dec 23 23:35:33 PST 2014 root at

Stephen Clark wrote: > Robert Noland wrote: >> On Thu, 2008-11-13 at 07:48 -0500, Stephen Clark wrote: >>> Julian Elischer wrote: >>>> Stephen Clark wrote: >>>>> Julian Elischer wrote: >>>>>> you will need to define the setup and question better. >>>> thanks.. cleaning it up a bit more... >>>> >>>>

Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in