Hello,
I'm trying to set up a DNS server under FreeBSD using the mac_biba
policy. I use to run
bind in low-integrity mode, so that neither it or any of its
descendants can modify
configuration files, etc.
With previous FreeBSD versions there was a handy sysctl setting,
"security.mac.enforce_socket"
that allowed to bypass the MAC restrictions for a socket. I think it's
not a bad idea.
After all machines can communicate with untrusted nodes over a
network. In my opinion,
enforcing the mac_biba restrictions so that a network communication
with a local process
behaves _differently_ than a network communication with a different
node is a bad idea.
Any reason why this setting has been eliminated? I think that the best
solution is to
keep it and let the administrator decide.
Best regards,
Borja.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
