<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<title>phpMyAdmin</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<body bgcolor="#F5F5F5">
<!-- Results table -->
<table id="table_results" border="0" cellpadding="2" cellspacing="1">
<!-- Results table headers -->
<tr>
<th >
Number</a>
</th>
<th >
Name</a>
</th>
<th >
Description</a>
</th>
<th >
Implementation</a>
</th>
<th >
Status</a>
</th>
<th >
Upstream</a>
</th>
<th >
Percent</a>
</th>
<th >
Owner</a>
</th>
<th >
Organization</a>
</th>
</tr>
<!-- Results table body -->
<tr onmouseover="setPointer(this, 0, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 0, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 0, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5" class="nowrap">1</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">Audit record augmentation</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">Augment audit records with additional LSPP & RBACPP attributes: subj and obj labels; roles, host identity, event type, and access types where available.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">Add additional SELinux fields to audit records.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">Patch upstream; needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">Red Hat, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">Kirkland, Dustin</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete0');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 1, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 1, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 1, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5" class="nowrap">2</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Audit of additional events</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Add additional instrumentation to kernel and userspace, particularly for user data import/export; catchall for issues not covered elsewhere. May include new audit record types for: sub, obj, anomalies, responses.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Additional events have been added where necessary.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Need to identify remaining gaps.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Red Hat, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete1');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 2, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 2, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 2, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5" class="nowrap">3</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">Audit of network events</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">Add hooks to IPsec implicit packet labeling. Needs to include audit by network address.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">Should mostly be covered by existing AVC audit records. May need to document that network configuration changes require reboot (per @sec). DHCP should be disallowed.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">Agreed that this is covered at SELinux Summit.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">netdev, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">Kirkland, Dustin</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete2');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 3, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 3, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 3, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5" class="nowrap">4</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">Audit of print events</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">Instrument CUPS.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">HP completed a new CUPS patch and discussed extensively on this list.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">Patch needs to go upstream to CUPS list; depends on print patch.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">CUPS mailing list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">Anderson, Matt</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete3');" bgcolor="#E5E5E5">HP</td>
</tr>
<tr onmouseover="setPointer(this, 4, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 4, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 4, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5" class="nowrap">5</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">Audit of other import/export events</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">Audit of device allocation + audit of devices not covered by dev allocator hooks or existing AVC audit records.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">Add audit hooks for device allocator and other relevant device-related events.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">Consensus is this is already covered . Device allocator audit needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">Device allocator project; Individual dev mailing lists</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">Velarde, Debora</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete4');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 5, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 5, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 5, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5" class="nowrap">6</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">Audit of user and role modifications</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">Must audit tools that modify users and roles in flat file implementation. Includes passwd. Utilities upon which this depends covered in separate task.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">Red Hat will be writing the user and role tools. Ensure that audit records are generated.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">Needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">mlsutils package</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete5');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 6, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 6, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 6, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5" class="nowrap">7</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">Audit instrumentation of trusted programs, including SELinux tools</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">Analyze userspace and identify those programs that require audit hooks and trusted program modification. At the moment, looks like only init and newrole need to be instrumented--others are audited by kernel.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">Instrument newrole for audit, make it suid, and drop capabilities other than audit append.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">No new trusted programs identified lately; identify any remaining gaps.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">SELinux list, kernel community</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete6');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 7, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 7, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 7, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5" class="nowrap">8</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">Audit-fs completion</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">Completion of auditfs patch.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">Implementation in progress by Amy.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">Patches are incorporated into development kernel. Inotify integration is still ongoing.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">fsdevel, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5" class="nowrap">85</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">Griffis, Amy</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete7');" bgcolor="#E5E5E5">HP</td>
</tr>
<tr onmouseover="setPointer(this, 8, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 8, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 8, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5" class="nowrap">9</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">Audit filtering in kernel or daemon with additional LSPP & RBACPP attributes--Selective Audit</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">Add kernel or daemon audit filtering to CAPP audit. Solution must filter/suppress records based on all available LSPP & RBACPP attributes: obj and subj labels, object identity, role, hostname, event type, and access type.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">Red Hat, IBM, and HP have posted patches that allow filtering on various criteria.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">Most all filtering should be in place.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete8');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 9, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 9, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 9, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5" class="nowrap">10</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">Audit browse, sort, search (ausearch) with additional LSPP & RBACPP attributes--Audit Selection</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">Create command line browse utility. Must include all available LSPP & RBACPP attributes: obj and subj labels, object identity, role, hostname, event type, and access type. Note there is no X-window System in certified configuration.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">An ASCII version exists</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">ASCII ausearch w/sub and obj labels implemented; API proposed on list; binary record format being discussed.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">Red Hat</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete9');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 10, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 10, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 10, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5" class="nowrap">11</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">DAC policy and function</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">Existing DAC mechanisms should cover; ensure all objects are covered and ensure owner, perm bits, ACLs are appropriate.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">Should already be covered.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">Needs to be analyzed to ensure complete coverage. This is really an assurance issue.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">What, if anything, is specific to the certification RPM?</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete10');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 11, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 11, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 11, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5" class="nowrap">12</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">MLS policy and function</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">SELinux MLS function and base MLS policy provide foundation; ensure the MLS policy correctly deals with trusted processes, overrides, restrictions on import/export, VFS polyinstantiation; requires extensive testing.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">NSA, TCS, Tresys, Red Hat, and others have posted patches.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">Red Hat has incorporated MLS policy into Rawhide and ported it to reference policy. There are still kinks to work out.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">SELinux mailing list, Red Hat MLS policy RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete11');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 12, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 12, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 12, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5" class="nowrap">13</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">IPsec labeled packets: Base patch</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">Indirect packet labeling based on mapping IPsec SAs to SELinux security contexts; AH-only with physical network security reduces/eliminates FIPS crypto cert requirements.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">Trent Jaeger / IBM posted patch to netdev. They plan to continue working this item.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">Requires documentation, and additional stress and interoperability testing.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">netdev, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">Jaeger, Trent</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete12');" bgcolor="#D5D5D5">PSU</td>
</tr>
<tr onmouseover="setPointer(this, 13, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 13, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 13, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5" class="nowrap">14</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">Labeled print</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">MLS labels required on banner pages, headers, and footers.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">There have been a couple of iterations on this. Current thinking is to use untrusted CUPS server to feed a trusted CUPS server as scaled image.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">Matt is now working on the trusted server. Plans to post new patch soon.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">CUPS mailing list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5" class="nowrap">85</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">Anderson, Matt</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete13');" bgcolor="#E5E5E5">HP</td>
</tr>
<tr onmouseover="setPointer(this, 14, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 14, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 14, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5" class="nowrap">15</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">VFS polyinstantiation</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">Namespaces unshare() syscall patch and PAM exploitation of it.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">NSA posted polyinstantiation patch. Red Hat been working on namespaces extensively. IBM has posted unshare syscall patch and PAM integration patches.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">Namespaces module and config file need manpages.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">lkml, pam-list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">Desai, Janak</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete14');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 15, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 15, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 15, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5" class="nowrap">16</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">Device allocation</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">Device allocation patch posted by TCS + enhancements, and/or forced relabeling upon device insertion; requires testing. Functions: authorization, synchronization, device node context assignment, eject/close.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">TCS posted framework patch. HP posted policy for it.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">Needs to be packaged. Does not do mounting--consensus is that is OK.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">Device allocator SF project</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">Hanson, Chad</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete15');" bgcolor="#E5E5E5">TCS</td>
</tr>
<tr onmouseover="setPointer(this, 16, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 16, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 16, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5" class="nowrap">17</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">Test and possibly restrict file archivers</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">star already maintains xattrs; zip/unzip patched to support xattrs. Need to restrict to the admin. Enhancements to other archivers exceed LSPP reqs.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">IBM has added xattr support to zip/unzip, which did not make the cutoff date .</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">Need to test star w/MLS and ensure policy is correct.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">archiver maintainers for modifications; selinux list for policy</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">Velarde, Debora</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete16');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 17, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 17, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 17, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5" class="nowrap">18</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">Disable udev & hotplug after boot (was Device labeling via udev)</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">Current thinking is to disable udev & hotplug after boot. (L/FDP_ETC, FDP_ITC) See also item 37--Disable DBUS after boot.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">Disable hotplug after boot for the evaluated config. This involves investigation and modifications to init scripts for evaluated configuration.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">Init script mods need to be incorporated. Debora documented the results and posted init scripts prototype.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">Red Hat Certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">Velarde, Debora</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete17');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 18, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 18, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 18, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5" class="nowrap">19</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">Label translation</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">Translation of sensitivity labels into human-readable form.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">libsetrans incorporated into SELinux.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">libsetrans is upstream; requires test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">SELinux list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete18');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 19, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 19, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 19, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5" class="nowrap">20</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">Mail</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">User mail required for admin mail only, probably only cron. Possible solutions: multi-level MTA, admin-only MTA, direct procmail invocation; direct delivery by cron into poly'd directories. Complete solution may be interesting but is not a requirement.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">Modify cron to accept new mailer; use modified mailer to deliver cron output.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">Cron has been modified to pass in a mailer; cannot use mailx as is; need to determine delivery mechanism (wrappered mailx or procmail).</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">No central cron maintainer; Red Hat will carry cron patch; need cron configuration for certification RPM.</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5" class="nowrap">25</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">Desai, Janak</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete19');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 20, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 20, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 20, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5" class="nowrap">21</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">Multilevel xinetd</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">Patch xinetd to obtain label from inbound connections and spawn child daemons with correct context. Will have to be documented as trusted program.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">TCS has posted a patch. Trent also has a student working on an implementation.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">Steve Grubb has some issues w/patch. Trent's student's patch execs children at the right level. Trent to post patch. Any concern about DAC attributes or MLS connection ranges?</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">Steve Grubb, xinetd list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5" class="nowrap">65</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">Hanson, Chad</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete20');" bgcolor="#D5D5D5">TCS</td>
</tr>
<tr onmouseover="setPointer(this, 21, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 21, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 21, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5" class="nowrap">22</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">Multilevel sshd</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">Patch sshd to spawn child processes with correct context.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">This may be possible by simply patching PAM module.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">sshd needs to be tested with xinetd. Looks like we will not need this with xinetd approach. Composition with multilevel xinetd requires test. Will privilege separation cause problems?</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">openssh-unix-dev</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5" class="nowrap">0</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">Latten, Joy</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete21');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 22, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 22, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 22, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5" class="nowrap">23</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">Multilevel cron</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">TCS posted polyinstantiation-aware Vixie cron; TCS approach useful, but useful only for MLS labels and dependent on TCS polyinstantiation mechanism. Comments on redhat-lspp suggest extending cron/crontab protocol to support security context.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">TCS posted the patch; IBM is working to integrate with namespaces-based polyinstantiation.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">Janak is waiting to hear back from maintainers. Janak has posted an updated patch that changes the cron protocol per his writeup; needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">Patch should be in rawhide son. No central cron maintainer--Janak is sending to all distro cron maintainers per Stephen Smalley. Distros will have to carry the patch.</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">Desai, Janak</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete22');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 23, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 23, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 23, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5" class="nowrap">24</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">Multilevel at</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">Base at work on multilevel cron.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">Open; IBM and TCS are likely interested in this as they have been working on cron.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">This work is folded in with cron. Needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">Red Hat will carry patch for evaluated configuration.</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">Desai, Janak</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete23');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 24, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 24, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 24, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5" class="nowrap">25</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">Multilevel tmpwatch</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">Patch tmpwatch to handle polyinstantiation.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">Very likely only manpage changes.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">Janak has performed initial investigation; no code changes should be necessary.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">tmpwatch maintainer</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">Desai, Janak</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete24');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 25, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 25, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 25, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5" class="nowrap">26</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Multilevel slocate</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Slocate needs to be removed from evaluated configuration.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Ensure removal from evaluated configuration package list.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Consensus at last discussion is to remove from package list.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Ensure this is removed by the Red Hat Certification RPM.</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete25');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 26, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 26, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 26, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5" class="nowrap">27</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">Revocation of user and object attributes</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">Killall with user and context matching and wrapper script to lock account and kill all user processes. Similar approach can be taken with fuser.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">George has psmisc patch to be posted. Needs to use auid and document regex caveats as well.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">George will re-port killall auid patch and rewrite the user revocation script in python. Obj revocation will be procedural.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">psmisc sf project, Red Hat certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5" class="nowrap">75</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete26');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 27, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 27, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 27, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5" class="nowrap">28</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">Useful role definitions</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">Define a useful set of roles in the MLS policy. The admin roles should be separated. Consider including a crypto admin role. Ensure each override is accessible through at least one role.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">Red Hat added role separation to MLS policy with input from TCS. However, because the policy must be static in the evaluated config, the user admin tool will be used to assign roles to users.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">Now we have sysadm and audadm. Additional flexibility exists with policy modules, including overrides. Need to document role assignment procedure.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">selinux list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete27');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 28, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 28, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 28, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5" class="nowrap">29</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Management of users and roles in flat file</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Create command line tools to manage and audit users and roles in flat file separated from base MLS policy. Actions need to be audited, which is covered in a separate task.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Red Hat has been working on flat file user and roles implementation.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Red Hat posted user and roles in flat files documentation. Tools need to be created and instrumented with audit hooks.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Red Hat mlsutils package</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete28');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 29, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 29, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 29, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5" class="nowrap">30</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">Self tests</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">Define a simple set of tests that can be run periodically by an administrator or cron job that demonstrates correct operation DAC and MAC policies, and verifies integrity of configuration files, including SELinux policy. Tests shall produce audit records.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">Permission and label checks via script, binary integrity validation via rpm -V, check enforcing.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">George needs to incorporate feedback from list; wrote manpage. Needs additional SELinux checks, manpage, and test. Policy integrity verification and versioning would be nice, but are not in scope.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">Red Hat Certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5" class="nowrap">65</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete29');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 30, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 30, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 30, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5" class="nowrap">31</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">I&A</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">All these requirements are similar to CAPP. Augment tests to account for sensitivity labels.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">Needs to be tested for certification.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">This is assurance work to verify that I&A functionality.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">LTP?</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">Desai, Janak</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete30');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 31, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 31, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 31, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5" class="nowrap">34</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">Ensure all named objects are covered by DAC & MAC</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">Objects shall include: files, named pipes (fifo), sockets, devices, shared memory, message queue, semaphores. New object: kernel keys - would need man pages, structured comments, & test cases.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">Needs complete coverage for certification.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">Assurance work; ensure coverage in ST.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">Red Hat Certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete31');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 32, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 32, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 32, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5" class="nowrap">35</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">Provide minimal number of MAC levels and categories</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">There shall at least 16 levels of hierarchical labels and 64 compartments (L/FDP_IFF.2.7). However, we should have 256 compartments per customer requirement.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">Need to meet minimum specified in LSPP. However, customers may require more.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">Was marked complete. However, customer input a SELinux Symposium indicated a greater number of categories is necessary; ensure coverage in ST.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">SELinux mailing list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete32');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 33, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 33, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 33, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5" class="nowrap">36</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">Audit record unique session/terminal ID</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">Events shall contain unique session identifier and/or terminal.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">Could be and ID a la loginuid; don't want to add a new one; only required when available; incomplete coverage; add to audit records where available.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">This work should be complete; ensure complete coverage.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">lkml, linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete33');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 34, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 34, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 34, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5" class="nowrap">37</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">Disable DBUS after boot (was Analyze removing DBUS)</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">DBUS must be either documented and tested, restricted, or removed. Ideally it will be removed from the ST. See also item 18--Disable udev & hotplug after boot.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">Remove dbus and see what breaks; discuss with Russell.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">Debora completed a report and init script mods. Mods need to be incorporated.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">Red Hat Certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">Velarde, Debora</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete34');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 35, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 35, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 35, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5" class="nowrap">39</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">Restrict kernel keyring access</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">There needs to be a way to restrict the use of the kernel keyring to the authorized administrator.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">The restrictions should be defined in the MLS policy, and DAC, too, if possible.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">Ensure restriction in SELinux policy.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">Red Hat Certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete35');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 36, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 36, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 36, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5" class="nowrap">41</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">Audit of SELinux booleans</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">Changing policy booleans is auditable event.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">SELinux needs to generate audit records when policy booleans are changed.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">Needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">SELinux list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete36');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 37, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 37, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 37, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5" class="nowrap">42</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">Audit of service discontinuity and fs relabeling (was Audit of service discontinuity)</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">Service discontinuity and fs relabeling are auditable events.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">Ensure service discontinuities an fs relabels are audited--bootup, shutdown, SELinux enable, SELinux disable.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">This item needs an owner. Discontinuity should already be covered; need fs relabel record. Need runlevel records.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">SELinux list, linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5" class="nowrap">85</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete37');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 38, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 38, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 38, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5" class="nowrap">43</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">Audit record subject labels for userspace records</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">When user space message is relayed, add a subject message to same event.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">The kernel needs to add the subject label for audit records generated in userspace because the caller cannot be trusted.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">Needs to get upstream. Tim produced an updated patch; Steve reworked to use Darrel's i/f.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">SELinux list, linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">Chavez, Timothy</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete38');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 39, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 39, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 39, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5" class="nowrap">44</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">Fail to secure state</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">When role data base is offline, corrupt, or inaccessible, the system shall preserve a secure state.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">SELinux denies everything by default. So, if the SS, DB, or policy is unavailable, the system should come to a stop.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">Should already be covered by SELinux. Does policy load failure generate an audit record?</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">SELinux list</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete39');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 40, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 40, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 40, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5" class="nowrap">45</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">Maintenance mode for secure recovery</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">RBACPP stipulates that after a failure or service discontinuity, the machine shall enter a maintenance mode whereby the machine can be restored to a secure state. Maybe config param for rc.sysinit.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">rc.sysinit change. Need to boot into single user mode for maintenance after SELinux or audit failure.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">Dan Walsh volunteered to push this item. Init already panics when policy load fails. A configurable option to drop into single user mode would be nice. Also want something similar for audit.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">Red Hat certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5" class="nowrap">50</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete40');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 41, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 41, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 41, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5" class="nowrap">47</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">Utility to list SELinux roles</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">User shall have the ability to see list of authorized Roles. This does not appear to be a strict requirement looking at RBACPP FIA_ATD.1.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">This is not required by would be nice to have. Is there already a way to do this? If not, need a utility for a user to list roles that he/she can take on.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">Nice to have. Determine if this should be removed from requirements list.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">SELinux list, Red Hat certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete41');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 42, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 42, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 42, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5" class="nowrap">49</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">MLS enablement of userspace</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">All utilities that display contexts shall be updated to display levels and categories. They shall display the translated name.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">Ensure all userspace utilities display levels and categories correctly. This should already be done. Unclear that they should always display xlated names.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">Should already be covered requires test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">SELinux list, Red Hat certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">Walsh, Dan</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete42');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 43, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 43, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 43, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5" class="nowrap">50</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">Utility to compute closure of sub access to objs</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">Given a file, the Admin shall be able to determine who can access it. Request from military customers.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">apol does this graphically for SELinux, but relies on library to do work. Write command-line utility. Requires analysis of DAC permissions and SELinux policy.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">Reid volunteered to take this item. Nice to have. But there is customer demand.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">Red Hat certification RPM</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5" class="nowrap">10</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">Wightman, Reid</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete43');" bgcolor="#E5E5E5">USAF CDS Lab</td>
</tr>
<tr onmouseover="setPointer(this, 44, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 44, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 44, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5" class="nowrap">51</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">IPsec labeled packets: Userspace ipsec-tools patches</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">These are the userspace ipsec-tools patches that accompany the kernel base patch. Includes Venkat's MLS patch for racoon.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">Joy Latten and Trent Jaeger modified ipsec-tools to handle syntax modifications required by kernel base patch. Venkat produced a patch to handle MLS negotiations.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">Dan Walsh pushed to rawhide. Joy has forward ported and posted the patch. Maintainer is presently swamped. Dan is pushing from Red Hat side. Still requires incorporation of Venkat's MLS enhancements.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">ipsec-tools</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">Latten, Joy</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete44');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 45, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 45, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 45, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5" class="nowrap">52</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">IPsec labeled packets: Packet context getsockopt() patch</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">Patch that adds a socket-level getsockopt() to obtain packets' SELinux contexts.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">Patch exists to get TCP connection peer security context. This is insufficient for UDP. Patch rework will be required to add a peek option.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">Needs test and exploitation by xinetd and network audit.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">netdev, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5" class="nowrap">99</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">Zhang, Catherine</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete45');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 46, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 46, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 46, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5" class="nowrap">53</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">IPsec labeled packets: Analyzers</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">Tcpdump and ethereal need to understand IPsec labels. This is not an LSPP/RBACPP requirement.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">Augment tcpdump and ethereal for filtering on labels.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">James Antill has taken this item. Nice to have.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">Tcpdump and ethereal maintainers</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5" class="nowrap">10</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">Antill, James</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete46');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 47, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 47, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 47, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5" class="nowrap">54</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">Audit of auditd signals</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">Collect loginuid and context info for senders of signals to auditd. SIGUSER1, SIGHUP, and SIGTERM are only ones used.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">Al Viro implemented this item.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">Needs test and upstreaming.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete47');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 48, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 48, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 48, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5" class="nowrap">55</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">Shell prompt security decorations</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">Add new configuration options for the bash prompt so that level or other security attributes can be seen on the prompt. Not strictly required by LSPP. However, this helps the user keep the terminals straight as to what level each one runs.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">TBD</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">James Antill has taken this item. Needs analysis.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">GNU bash maintainer</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5" class="nowrap">10</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">Antill, James</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete48');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 49, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 49, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 49, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5" class="nowrap">56</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">LTP Tests (was Test)</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">Write new LTP tests or incorporate existing unit and functional tests.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">Ideally, respective task owners would contribute unit and functional tests as complete LTP testcases. Share as much as possible.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">Please write more LTP tests.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">LTP</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5" class="nowrap">10</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">Wilson, Kris</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete49');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 50, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 50, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 50, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5" class="nowrap">57</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">PF_KEY SPD query reliability</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">The PF_KEY protocol does not return all the entries from SPD queries when the number of entries is large.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">TCS is working on a solution wherein netlink is used to query the SPD, and PF_KEY to perform all other SPD management tasks.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">TCS would like help with this item. Red Hat bugzilla 181617 tracks this issue. TCS is working with netdev & ipsec-tools communities to come to consensus on a design to remedy the problem.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">netdev</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5" class="nowrap">15</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">Hanson, Chad</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete50');" bgcolor="#D5D5D5">TCS</td>
</tr>
<tr onmouseover="setPointer(this, 51, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 51, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 51, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5" class="nowrap">58</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">Audit data API</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">An API is required to provide a way for audit consumers to access audit records.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">Should be a simple API that is easily wrappered by python.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">Steve is implementing this.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5" class="nowrap">60</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete51');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 52, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 52, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 52, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5" class="nowrap">59</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">Audit of child processes</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">Need to audit child processes so that autrace can produce output useful to polgen and other audit data consumers.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">Create audit records for child processes.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">Steve Grubb is implementing this feature.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5" class="nowrap">5</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete52');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 53, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 53, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 53, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5" class="nowrap">60</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">Label translation daemon</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">Need a daemon intermediary for label translation because applying BLP rules to prevent reading the translation file will make it unavailable to most users.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">A label translation daemon has already been written by TCS.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">Needs test. This has been incorporated as a replacement for libsetrans.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">libsetrans patch</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5" class="nowrap">95</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">Hanson, Chad</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete53');" bgcolor="#E5E5E5">TCS</td>
</tr>
<tr onmouseover="setPointer(this, 54, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 54, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 54, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5" class="nowrap">61</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">Audit failure action inquiry</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">Require a way for applications, such as CUPS, to determine whether to continue running or die when audit is unavailable.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">Configuration option in auditd.conf and inquiry function in libaudit.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">Design looks good. Lisa will start coding something up.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5" class="nowrap">25</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">Smith, Lisa</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete54');" bgcolor="#D5D5D5">HP</td>
</tr>
<tr onmouseover="setPointer(this, 55, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 55, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 55, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5" class="nowrap">62</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">Audit of POSIX message queues</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">Need audit coverage for syscall i/f as in addition to the fs i/f.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">Add audit hooks to POSIX message queue syscalls.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">George will post initial patch soon.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">linux-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5" class="nowrap">65</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete55');" bgcolor="#E5E5E5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 56, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 56, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 56, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5" class="nowrap">63</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">Analyze/instrument new kernel features</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">Need to check TIPC, OCFS, configfs, and mutexes for DAC & MAC coverage.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">Depends on outcome of analysis.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">Needs analysis. This item needs an owner.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">selinux-list, others?</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5" class="nowrap">0</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete56');" bgcolor="#D5D5D5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 57, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 57, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 57, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5" class="nowrap">64</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">Audit performance</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">Functional enhancements to the audit subsystem have resulted in an unacceptable performance degradation. Performance must be significantly improved before the changes are upstreamable.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">Perhaps suppress audit data collection if record will not be emitted at syscall exit.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">Amy posted a patch based on Al Viro's writeup. Needs test.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">redhat-audit</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">Grubb, Steve</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete57');" bgcolor="#E5E5E5">Red Hat</td>
</tr>
<tr onmouseover="setPointer(this, 58, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 58, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 58, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5" class="nowrap">65</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">Audit netlink deadlock / ENOBUFS</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">Audit deadlocks processing a large number of syscall rules; also happens on -mm. Some change is now filling the buffer.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">Queue up the packets under the mutex; still need to determine root cause.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">Now we need to fix the ENOBUFS problem. Al's patch to queue skb's verified. Need to fix upstream.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">linux-audit, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete58');" bgcolor="#D5D5D5">IBM</td>
</tr>
<tr onmouseover="setPointer(this, 59, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 59, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 59, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5" class="nowrap">66</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">Audit watch misc bugs</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">First attempt to add a watch fails; subsequent adds succeed. Also, watches seem to match by len.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">Incorporate missing patch.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">This is fixed. Patch was missing from test kernel.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">linux-audit, lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5" class="nowrap">100</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">Griffis, Amy</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete59');" bgcolor="#E5E5E5">HP</td>
</tr>
<tr onmouseover="setPointer(this, 60, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 60, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 60, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5" class="nowrap">67</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">CIPSO</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">Paul Moore is working on a CIPSO implementation for Linux.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">Learn from past issues and create something this is both compatible with other implementations & acceptable upstream.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">Paul has posted patches and gotten good feedback.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">lkml</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5" class="nowrap">55</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">Moore, Paul</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete60');" bgcolor="#D5D5D5">HP</td>
</tr>
<tr onmouseover="setPointer(this, 61, 'over', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 61, 'out', '#E5E5E5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 61, 'click', '#E5E5E5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5" class="nowrap">68</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">IPsec labeled packets: xfrm MLS support</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">Need to handle MLS in the xfrm protocol.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">Augment the base IPsec labeling patch to make it aware of MLS attributes. Also augment SELinux MLS policy.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">Venkat has a patch. Needs to be reviewed, commented on, submitted to netdev, and upstreamed.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">netdev</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5" class="nowrap">70</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">Yekkirala, Venkat</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete61');" bgcolor="#E5E5E5">TCS</td>
</tr>
<tr onmouseover="setPointer(this, 62, 'over', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmouseout="setPointer(this, 62, 'out', '#D5D5D5', '#CCFFCC', '#FFCC99');" onmousedown="setPointer(this, 62, 'click', '#D5D5D5', '#CCFFCC', '#FFCC99');">
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5" class="nowrap">69</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">IPsec labeled packets: Unix domain sockets</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">Need to extend inet IPsec labeling to Unix domain sockets.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">Catherine wrote patches to apply IPsec labeling to Unix domain sockets.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">Need to ensure the patches actually made it into the kernel.</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">netdev</td>
<td align="right" valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5" class="nowrap">90</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">Wilson, George</td>
<td valign="top" onmousedown="setCheckboxColumn('id_rows_to_delete62');" bgcolor="#D5D5D5">IBM</td>
</tr>
</table>
</body>
</html>