MAC subsystem problem (FreeBSD 7)

看板FB_security作者時間18年前 (2008/02/15 20:50), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/2 (看更多)
Hello, I'm trying to set up a DNS server under FreeBSD using the mac_biba policy. I use to run bind in low-integrity mode, so that neither it or any of its descendants can modify configuration files, etc. With previous FreeBSD versions there was a handy sysctl setting, "security.mac.enforce_socket" that allowed to bypass the MAC restrictions for a socket. I think it's not a bad idea. After all machines can communicate with untrusted nodes over a network. In my opinion, enforcing the mac_biba restrictions so that a network communication with a local process behaves _differently_ than a network communication with a different node is a bad idea. Any reason why this setting has been eliminated? I think that the best solution is to keep it and let the administrator decide. Best regards, Borja. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 BORJAMAR. 的文章
文章代碼(AID): #17jOgm00 (FB_security)
更多 BORJAMAR. 的文章
文章代碼(AID): #17jOgm00 (FB_security)