DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th February 2010
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default The MAC portacl Module

Hi!

I'd like to set security.mac.portacl.rules but my kernel doesn't include it

--$ sysctl security.mac.portacl.rules
sysctl: unknown oid 'security.mac.portacl.rules'


What options i need to add to kernel config file before i recompile kernel
to add support for this mac portacle ?


NOTE: I tried recompile kernel with

Code:
options         MAC
options         MAC_PORTACL
but i fugured out that kernel with this new options is very unstable, when i tried to set security.mac.portacl.rules system immediately crashed down...

Can someone advise me how to properly (which options) i need to add to kernel to support mac portacle ??

Thanks,

Jurif

Jurif
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #2   (View Single Post)  
Old 15th February 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Code:
[/boot/kernel]% ls mac_*
mac_biba.ko*         mac_ifoff.ko*        mac_mls.ko*          mac_partition.ko*
mac_seeotheruids.ko* mac_test.ko*         mac_bsdextended.ko*  mac_lomac.ko*
mac_none.ko*         mac_portacl.ko*      mac_stub.ko*
This means you can load the module dynamically with kldload(8) and loader.conf(5). There is no need to compile a new kernel.

If you really want to add it to the kernel statically, then mac_portacl(4) has the instructions for that ...

You give us very little information regarding the "instable behavior", Which version of freebsd are you using? Do you see any error messages? What command are you using exactly?

I would not recommend using this "feature" ... You can use the pf firewall and/or tcpwrappers to achieve largely the same effect ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 15th February 2010
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

Thanks Carpetsmoker for quick response

I have exactly same problem:
http://lists.freebsd.org/pipermail/f...ry/009569.html

mpd5 and named runing on same machine (gateway)

so if i try to load mac_portacle module, i can't ?

Quote:
root@gw ~ [01:25:38]# kldload mac_portacl.ko
kldload: can't load mac_portacl.ko: No such file or directory
root@gw ~ [01:30:18]#

Quote:
root@gw ~ [01:31:15]# ls /boot/kernel/mac_portacl*
-r-xr-xr-x 1 root wheel 15022 Feb 13 02:41 /boot/kernel/mac_portacl.ko
-r-xr-xr-x 1 root wheel 65696 Feb 13 02:41 /boot/kernel/mac_portacl.ko.symbols
root@gw ~ [01:31:21]#


runing:

Quote:
root@gw ~ [01:31:21]# uname -a
FreeBSD gw 7.2-RELEASE-p6 FreeBSD 7.2-RELEASE-p6 #4: Sat Feb 13 01:59:30 CET 2010 root@:/usr/obj/usr/src/sys/KERNELFBSD7 i386
root@gw ~ [01:33:12]#
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #4   (View Single Post)  
Old 15th February 2010
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

also in /var/log/messages appeared this line

Quote:
Feb 15 01:25:38 gw kernel: KLD mac_portacl.ko: depends on kernel_mac_support - not available
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #5   (View Single Post)  
Old 15th February 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

That is fairly self-explanatory I would say: You need the general mac framework in order to use mac_portacl.

Study the appropriate mac manpages and/or NOTES kernel configuration file to learn how you can add mac support to your kernel.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #6   (View Single Post)  
Old 15th February 2010
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

So i recompiled kernel again with options MAC and now it works but here is new problem.

When i reboot system mac portacl value is set correcty

Quote:
--$ sysctl security.mac.portacl
security.mac.portacl.rules: uid:53:tcp:53,uid:53:udp:53
security.mac.portacl.port_high: 1023
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1
named runing but not answer to dig query anymore. If i restart named then it works.

I figured out problem: NAMED start before MPD at booting system

dmesg :

Quote:
.
Starting named.
Feb 15 16:15:50 gw named[1027]: the working directory is not writable
Recovering vi editor sessions:
.
Starting apcupsd.
Starting mpd5.
what's the best way to change boot order first mpd than named ?
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #7   (View Single Post)  
Old 17th February 2010
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Default

Solved this problem (probably not "the best solution" but it works! )


to /etc/rc.local add command to restart named
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
perl module install issues drievisjen OpenBSD Installation and Upgrading 2 3rd September 2009 10:55 PM
Python/GTK/Cairo Problems (ImportError: No module named cairo) whetphish FreeBSD General 2 24th June 2009 11:06 PM
Installing a kernel module afterwards bram85 FreeBSD Installation and Upgrading 1 20th April 2009 11:38 PM
pam_chauthtok(): error in service module KenJackson FreeBSD Installation and Upgrading 1 26th October 2008 11:24 PM
acessing the root filesystem kernel module! rayden FreeBSD General 1 11th June 2008 06:48 PM


All times are GMT. The time now is 06:40 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick