Travis H. wrote:

> I'd like to see MAC ported to NetBSD, but in the meantime it appears
> that Elad is diligently working on a more granular securelevel and
> integration with kauth, which accomplishes much of the same thing;
> IIUC basically securelevel is designed to prevent persistent changes
> to the critical files that control initial boot, so that a reboot can
> get you into a trusted state.

Actually, the work is more than just for securelevel -- it's separating
the interface ("can proc X do Y?") from the implementation ("is proc X
root?"). We will be dispatching requests with full context, and allow
modules to plug and "listen" to these requests.

How each module processes the information is internal to it; it can
check the uid, the securelevel, or -- like I said -- dispatch the
request further to a userland daemon that can compare against a policy
or forward the request to a central authorization server.

> For more info, see the threads here:
> http://archives.neohapsis.com/archives/netbsd/2006-q1/thread.html

-e.

-- 
Elad Efrat