MAC subsystem problem (FreeBSD 7)
- From: Borja Marcos <BORJAMAR@xxxxxxxxxx>
- Date: Fri, 15 Feb 2008 13:31:05 +0100
Hello,
I'm trying to set up a DNS server under FreeBSD using the mac_biba policy. I use to run
bind in low-integrity mode, so that neither it or any of its descendants can modify
configuration files, etc.
With previous FreeBSD versions there was a handy sysctl setting, "security.mac.enforce_socket"
that allowed to bypass the MAC restrictions for a socket. I think it's not a bad idea.
After all machines can communicate with untrusted nodes over a network. In my opinion,
enforcing the mac_biba restrictions so that a network communication with a local process
behaves _differently_ than a network communication with a different node is a bad idea.
Any reason why this setting has been eliminated? I think that the best solution is to
keep it and let the administrator decide.
Best regards,
Borja.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: MAC subsystem problem (FreeBSD 7)
- From: Robert Watson
- Re: MAC subsystem problem (FreeBSD 7)
- Prev by Date: Re: VuXML entry for CVE-2008-0318 (libclamav)
- Next by Date: Re: VuXML entry for CVE-2008-0318 (libclamav)
- Previous by thread: FreeBSD Security Advisory FreeBSD-SA-08:04.ipsec
- Next by thread: Re: MAC subsystem problem (FreeBSD 7)
- Index(es):
