Solved Mandatory Access Control?

Hi, during FreeBSD install process, one of last menu asks for some security settings, eg.

Code:
Hide processes running as other users
Hide processes running as other groups
Disable reading kernel messages buffer for unprivileged users

and so on.
I am pretty unshure is this is the same of using "MAC" capabilities, as described in Handbook's Chapter 15.
When I select the above features during install, I found some entries in /etc/sysctl.conf, eg.

Code:
security.bsd.see_other_uids=0

With MAC, it seems the same goal is achieved by:

Code:
mac_seeotheruids_load="YES"

in /boot/loader.conf

I am a bit confused.
Thank you!
 
As mentioned in the handbook ( 15.5.1 ) the mac_seeotheruids(4) extends the sysctl toggle you mentioned above. As a good example (also in that handbook paragraph) you can allow certain users to see other UIDs. It's not possible to do this with the given sysctl toggle (which is either on or off).

With MAC you can fine tune security settings and limits to users. Sysctl variables are system wide settings.
It's not the same thing, though sometimes you may be able to set the same thing using two approaches.
 
Back
Top