# Anyone using Mandatory Access Controls for Jails running services



## osx-addict (Mar 26, 2009)

Just reading the docs on MAC stuff and it sounds interesting and like it might work in conjunction with jails that have services going in them such as Apache or Sendmail..

Anyway, I just thought I'd ping you all to see if anyone is using it and in what capacity?  I searched the entire forum space and found only one reference to "mandatory access control" so it does not seem to be horribly popular..

In particular the 16.15 section in the handbook talks about setting up such a jailed service.. Anyone?


----------



## Oko (Mar 27, 2009)

osx-addict said:
			
		

> Just reading the docs on MAC stuff and it sounds interesting and like it might work in conjunction with jails that have services going in them such as Apache or Sendmail..
> 
> Anyway, I just thought I'd ping you all to see if anyone is using it and in what capacity?  I searched the entire forum space and found only one reference to "mandatory access control" so it does not seem to be horribly popular..
> 
> In particular the 16.15 section in the handbook talks about setting up such a jailed service.. Anyone?



The issue of MAC security approach has been discussed in detail on OpenBSD mailing list. The fact that OpenBSD 
doesn't have MAC should tell you something. I guess you can also google about issues related to SELinux. That is
a kind of MAC control.


----------



## osx-addict (Mar 27, 2009)

I've currently got the following running in jails :


Sendmail/Dovecot (jail #1)
Apache Server for domain #1 (w/o PHP)
Apache Server for domain #2 (w/ PHP)

The following items I do not have running in jails for the following reasons :


Postgres - had 3 running in jails until they all started fighting and getting IPC errors- a quick googling around indicates that multiple postgres jails have been in bad shape since FreeBSD >5.x -- I finally succumbed and remove them from being in jails and all problems have subsided -- of course now all databases reside in the same space -- not something I was looking to do. See Here for more info -- search for Postgres
Visualworks (VW) environment for web-based app being served by one of the jailed Apache's above.  Apparently VW has issues with the emulated Linux semaphores -- originally I had this in a jail as well -- may still go that route if I can track down this problem.


----------



## woop (Apr 2, 2009)

Hi, I place almost everything into jails. And if it deals with ports under 1024 I use MAC and get root out of the picture all together. I have been doing this for almost 2 years now.

I find it interesting that OpenBSD does not have them, perhaps I should look into this further.


----------



## osx-addict (Apr 4, 2009)

Can you explain what you're doing with MAC specifically for the jails with ports <1024? Thx!


----------

