Subject: Re: SE Linux vs SE NetBSD !!
To: Travis H. <email@example.com>
From: Elad Efrat <elad@NetBSD.org>
Date: 08/25/2006 10:54:17
Travis H. wrote:
> I'd like to see MAC ported to NetBSD, but in the meantime it appears
> that Elad is diligently working on a more granular securelevel and
> integration with kauth, which accomplishes much of the same thing;
> IIUC basically securelevel is designed to prevent persistent changes
> to the critical files that control initial boot, so that a reboot can
> get you into a trusted state.
Actually, the work is more than just for securelevel -- it's separating
the interface ("can proc X do Y?") from the implementation ("is proc X
root?"). We will be dispatching requests with full context, and allow
modules to plug and "listen" to these requests.
How each module processes the information is internal to it; it can
check the uid, the securelevel, or -- like I said -- dispatch the
request further to a userland daemon that can compare against a policy
or forward the request to a central authorization server.
> For more info, see the threads here: