On 2014-02-11 11:28, Borja Marcos wrote: <snip> > A tunable like security.mac.{mls,biba...}.default_label or, maybe, > more appropiately, security.{mac,biba...}.init_lable would allow the > administrator to, for example, limit the usage of the MAC policies to > descendants of certain processes. In our case, with most of the OS > having the usual Unix security requirements, except for the > intrinsicly dangerous stuff such as Apache and PHP/CGIs, init labels > of {mls,biba}/equal would be more than enough, applying the necessary > labels to the untrusted processes. > > What do you think? I am sure this makes the MAC policies much more > useful, and much easier to integrate with the typical Unix software > without unnecessary incompatibilities, and of course not just for our > particular scenario. > > Borja. Hi list, I think that being able to set the MAC process label from rc.conf would be a better and more flexible way of moving forward, so that modifying rc-scripts everywhere would be unnecessary. Thinking about how to handle this in the contexts of jails would also be nice. Currently using jail_poststart_exec to jexec with the correct label is a bit of a pain. Perhaps there is a better way that i am unaware of? br andreas _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"