Heads up for login managers
Steve Grubb
sgrubb at redhat.com
Mon Feb 12 17:08:24 UTC 2007
On Monday 12 February 2007 11:40, David Zeuthen wrote:
> > Has there been a security review?
>
> Not per se and, for the record, I'm unsure what is involved in doing
> that for Fedora; do you know?
You gotta do it the hard way...code review.
> Suffice to say it's been discussed on a number of lists, it's been
> designed with security in mind and I also mentioned it doing my two
> talks at LCA. Also had a lot of private exchanges with people about it.
> I'd welcome a "security review" by you and others involved in
> security-related matters in Fedora; it would be nice if you could do
> that, thanks.
Yes, I will look it over.
> > Does the design still allow the distro to meet CAPP?
>
> Haven't looked into it and I'm not sure Fedora is certified in any way
> at this point anyway.
Fedora has all the bits and pieces applied that would let if meet CAPP. This
is the Common Criteria Certification based around traditional discretionary
access controls (unix perms).
> Also it might be useful, as a community service to all readers on the list,
> if you linked to what CAPP is when using jargon like that, thanks.
CAPP is here:
http://www.niap-ccevs.org/cc-scheme/pp/PP_OS_CA_V1.d.cfm
The main thing I am concerned with is that auditing doesn't get messed up.
There is code in place to make sure that actions get attributed to the right
user. A code review should help determine it. I also am concerned about what
this means for things like console helper.
-Steve
More information about the Fedora-maintainers
mailing list