Implementing MAC BIBA for login user

[skeleton616]

I have followed the documentation with regards to the MAC BIBA policy and I am trying to create a separate Biba range on the regular user and the root user but nothing seems to be working. No matter what I change in the /etc/login.conf file the regular and root user always have the Biba range of "biba/high(low-high)."

I am just trying to change the regular user to have a range of biba/low(low-low) and the root user to have a range of biba/high(low-high) for testing purposes. Everytime I add the :label=biba/low(low-low) to the default user in the /etc/login.conf file and then build using cap_mkdf /etc/login.conf nothing happens at all. Any help is appreciated it as no matter where I look nothing seems to fix my problem.

 

[T-Daemon]

Works here (on 13.0-RELEASE):

/boot/loader.conf

mac_biba_load="YES"

Reboot system.

/etc/login.conf

biba:\
             :label=biba/low(low-low):\
             :tc=default:

# cap_mkdb /etc/login.conf

Set login class 'biba' for user 'test'.

test@fbsd13:~ % getpmac
biba/low(low-low)

root@fbsd13:~ # getpmac
biba/high(low-high)

Maybe you have a typo in /etc/login.conf.

 

[skeleton616]

Can you paste your whole /etc/login.conf file? And how do you set the login class 'biba' to the user 'test'?

 

[SirDice]

And how do you set the login class 'biba' to the user 'test'?

The other way around, you set the user to the class.

    -L class      This option sets the login class for the user being
                   created.  See login.conf(5) and passwd(5) for more
                   information on user login classes.

See pw(8): pw usermod myuser -L biba

 

[T-Daemon]

The other way around, you set the user to the class.

Corrected.

Can you paste your whole /etc/login.conf file?

The login.conf I have is the default which comes with 13.0-RELEASE. I added the 'biba' class you see in the Code: box beneath the 'default' class. The line :tc=default: forwards the 'biba' class to the 'default' class.

And how do you set the login class 'biba' to the user 'test'?

Besides what SirDice suggested, which is the most convenient form, alternatively chsh(1) <username> executed as root can be used and the 'Class:' field edited or vipw(8) and the class set in the fifth field (see passwd(5)).

After cap_mkdb(1) and the 'biba' class set for the user, to take effect of the login class, the user if logged in needs to log out and log in again.

For why it's not working for you I suspect a typo in your login.conf, a missing backslash or double point.

 

[skeleton616]

Alright thanks I got it working now. So if I wanted to change the label for the default would I just add the label to the default section? I was thinking about just having the root user have a label of biba/high(high-high) and then the biba/myuser have a label of biba/low(low-high).

 

[T-Daemon]

So if I wanted to change the label for the default would I just add the label to the default section?

Yes, that's all it takes.

 

[skeleton616]

Thanks for the help.