similar to: Questions about MAC

(crossposted to freebsd-security just in case someone has to slap me) :) Hello, I'm doing some work with the MAC subsystem in FreeBSD, and I have spotted some errors in the MAC documentation in the handbook. 1- Section 15.14.4. Error in the example dropping users "nagios" and "www" into the insecure class. The example uses the command "pw usermod nagios -L

FreeBSD version: 5.1-RELEASE Hi, I'm quite new to FreeBSD. I've check list archives and read a handbook, but I didn't find solution to my problem and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems and I wanted to test MAC features. I'm also new to MAC, so perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in

A bit of a background: I've been experimenting with LOMAC labels on a 9.1-RELEASE test system. To get the dynamic IP assigned to the machine, I tried following recipe: set the label for /sbin/dhclient to lomac/high[low]. This gets the job done, but there were a few problems: first of all, this label does not seem to persist after a reboot - I have not yet found a reasonable explanation

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just try to understand the concepts and possiblities behind the mac framework. After days of puzzling I found one puzzling behaviour and still have one immediate question (this is on 5-stable) - - when I enable mac_biba, set root to biba/equal (or any value, actually), and do a setfmac -R biba/equal / I expect biba to be activated without any

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and,

> > >What do you recommend for keeping track of user >activities? For preserving bash histories I followed >these recommendations: > >http://www.defcon1.org/secure-command.html > Interesting reading but, as others have noted, of limited use. Keystroke logging can be disabled by - as others have noted - either spawning another (perhaps different) shell, using a remote

Hello Almighty All, I am trying to get the LoMAC module revoke user's privileges. In my test setup, the user with a higher clearance tries to open a lower clearance file for reading. After that the process label of the user's process is checked. As a final test, the user's process tries to write to a file with the higher integrity label. And he succeeds. Please find my test setup

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

Hi List! Don't see much discussion about MAC here, time to change that! :-) Currently trying to set up a service jail, according to instructions in the handbook[1]. The problem I'm facing is that nullfs does not seem to support multilabeled filesystems, or am i missing something? ls -lZ /usr/js/testjail/var/run/test -rw-r--r-- 1 root wheel biba/equal 0 Feb 6 17:15

Dear All, I am a student enrolled google summer code 2007. My job is to write security regression testsuites for FreeBSD under the guidance of my mentor Dr. Robert Watson. Under his encourage, I write following request for comments RFC :-) ////////////////////////////////////////////////////////////// What I plan to do: 1) to test the stability of Mandatory Access Control and Audit

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:08.realpath Security Advisory The FreeBSD Project Topic: Single byte buffer overflow in realpath(3) Category: core Module: libc Announced:

Hi there, I am trying to move from lmtpd (lmtpd.sf.net) to dovecot sieve. One thing used by some of powerusers are archiving mail automatically with autocreated folders based on year + month. Is there any good way to make that with sieve... One example require "fileinto"; if address :is ["From", "To"] "dovecot at dovecot.org" { fileinto

Hi, I just installed a minimal CentOS 7 on an Internet-facing server. Installing BIND gives me this: Running transaction Installing : python-ply-3.4-11.el7.noarch 1/2 Installing : 32:bind-9.11.4-9.P2.el7.x86_64 2/2 /var/tmp/rpm-tmp.M6XABV: line 59: /etc/selinux/mls/rpmbooleans.custom: No such file or directory grep:

https://bugzilla.mindrot.org/show_bug.cgi?id=3641 Bug ID: 3641 Summary: Improved SELinux support for openssh Product: Portable OpenSSH Version: 9.5p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at

>I have a series of write statements because >i am writing to a file >where the characters strings are the column names of a dataframe >and the numbers are the elements in a particular row. >So, a file might look like > >AAA 2.1 >BB 3.1 >AHLZ 0.2 > >and it would be named "rowname".mls. > >so, each time i get to a new row, i create a new file and

Hi All, Thanks for the information. But after resetting the semanage User/login, and moving the targeted folder to old one and then install the default target. then also its still showing the Id context as context=*system_u:system_r:unconfined_t:s0-s0:c0.c1023.* *What I observed is after changing the permission using semanage command also, its still showing the system_u:system_r. * *Check the

Hello, I've installed IE in Debian Etch, only because the real estate websites I must access absolutely require IE. I used IEs4Linux to install IE6, and it went flawlessly. IE works fine to surf websites. I must pull a report using ToolkitCMA.com. This site installs alot of IE addons (mainly report templates and an ActiveX control to print pdf's), and the install of these seems to go

Does anyone know of a good resource on doing MLS (Multiple Listing Service) integration with Rails? My searches don''t seem to be turning up much information and I need to get a quick handle on what''s involved in this process. Many thanks!

CentOS Errata and Bugfix Advisory 2011:1779 Upstream details at : https://rhn.redhat.com/errata/RHBA-2011-1779.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 412c7398644fe5334de9551ca29b39ea550eb61f2d0da9d52bdf65e5c8d52d90 selinux-policy-3.7.19-126.el6_2.3.noarch.rpm

CentOS Errata and Bugfix Advisory 2011:1837 Upstream details at : https://rhn.redhat.com/errata/RHBA-2011-1837.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: e237efd71785ffc965605151496a17e9dd252d4a5151bb0cbcf9e8ca8aa4df03 selinux-policy-3.7.19-126.el6_2.4.noarch.rpm