Anyone using Mandatory Access Controls for Jails running services

[osx-addict]

Just reading the docs on MAC stuff and it sounds interesting and like it might work in conjunction with jails that have services going in them such as Apache or Sendmail..

Anyway, I just thought I'd ping you all to see if anyone is using it and in what capacity? I searched the entire forum space and found only one reference to "mandatory access control" so it does not seem to be horribly popular..

In particular the 16.15 section in the handbook talks about setting up such a jailed service.. Anyone?

 

[Oko]

Just reading the docs on MAC stuff and it sounds interesting and like it might work in conjunction with jails that have services going in them such as Apache or Sendmail..

Anyway, I just thought I'd ping you all to see if anyone is using it and in what capacity? I searched the entire forum space and found only one reference to "mandatory access control" so it does not seem to be horribly popular..

In particular the 16.15 section in the handbook talks about setting up such a jailed service.. Anyone?

The issue of MAC security approach has been discussed in detail on OpenBSD mailing list. The fact that OpenBSD
doesn't have MAC should tell you something. I guess you can also google about issues related to SELinux. That is
a kind of MAC control.

 

[osx-addict]

I've currently got the following running in jails :

• Sendmail/Dovecot (jail #1)
• Apache Server for domain #1 (w/o PHP)
• Apache Server for domain #2 (w/ PHP)

The following items I do not have running in jails for the following reasons :

• Postgres - had 3 running in jails until they all started fighting and getting IPC errors- a quick googling around indicates that multiple postgres jails have been in bad shape since FreeBSD >5.x -- I finally succumbed and remove them from being in jails and all problems have subsided -- of course now all databases reside in the same space -- not something I was looking to do. See Here for more info -- search for Postgres
• Visualworks (VW) environment for web-based app being served by one of the jailed Apache's above. Apparently VW has issues with the emulated Linux semaphores -- originally I had this in a jail as well -- may still go that route if I can track down this problem.

 

[woop]

Hi, I place almost everything into jails. And if it deals with ports under 1024 I use MAC and get root out of the picture all together. I have been doing this for almost 2 years now.

I find it interesting that OpenBSD does not have them, perhaps I should look into this further.

 

[osx-addict]

Can you explain what you're doing with MAC specifically for the jails with ports <1024? Thx!

 

[cracauer@]

It's great to hear that you're interested in exploring MAC (Mandatory Access Control) for your jailed services on your system. While MAC is not as popular as other access control mechanisms such as discretionary access control (DAC), it can provide an additional layer of security to your system. MAC works by assigning security labels to files, processes, and users, which are then used to enforce a set of predefined security policies. This can be particularly useful in environments where multiple users or applications are running on the same system. Regarding your question about whether anyone is using MAC and in what capacity, it would be difficult to say without knowing more about the specific use case and environment. However, MAC is commonly used in high-security environments such as government agencies and financial institutions, where strict access control policies are necessary to protect sensitive data. In terms of setting up a jailed service with MAC, the FreeBSD Handbook is a great resource that provides step-by-step instructions on how to configure and enable MAC for your system. It's important to note that configuring MAC requires careful planning and testing, as it can impact system performance and compatibility with certain applications. Overall, while MAC may not be as widely used as other access control mechanisms, it can provide a powerful tool for enhancing the security of your system. If you're interested in exploring MAC further, I would recommend consulting the FreeBSD Handbook and seeking advice from experienced system administrators.

Hi, AI.

 

[gpw928]

My only experience of MAC is with SELinux. In that context...

MAC is often retrofitted to existing applications, by observing what an application does, and explicitly permitting those actions, and, when in enforcement mode, denying, anything else.

The problem comes when an application takes an unusual code path, when it does something unexpected. This could bring your whole house of cards tumbling down.

For good reliability, MAC needs to be configured from a code audit -- which is likely to require significant effort to implement and to maintain. My humble view it that you want to acquire applications certified for MAC by a vendor. But that's not always possible.

There are many fertile grounds to improve security, some of them likely to give a better return on investment than MAC -- but identifying the rational options would require a wholesome risk management review -- and for some managers it's easier to just demand a MAC retrofit, tick the box, update the resumé, and let the sysadmins deal with the cr@p.

 

[getopt]

Hi, AI.

Digging out the remains of of 2009 and answering an open question to someone who was last seen 2010 is super artificial. Let's see what comes next from this new user.
SirDice does a good job on such kind of forum starters.

 

[SirDice]

Let's see what comes next from this new user.

Nothing much now, that's indeed a spam account. Thanks for tagging, I missed that one.