missing avc message field names

[Russell Coker]

On Tuesday 30 January 2007 10:48, Eamon Walsh <ewalsh at tycho.nsa.gov> wrote:
> there might be SELinux-enhanced e-mail clients,
> office applications, file managers in the future

Yes, we need all that.

There are some people interested in SE enhanced MUAs.

One issue is that SE-X is required for full functionality in this regard 
(let's assume for the sake of discussion that almost everyone who matters 
uses a GUI MUA).  Another issue is that the design of MUAs is tending towards 
greater integration with the desktop environment and larger more complex code 
bases.

I'm thinking of starting to attack this by developing a password sequestration 
system for MUAs.  The idea being that the MUA would run a SETGID program and 
request a POP connection, it would be returned a file handle for an 
authenticated connection but have no way of obtaining the password that was 
used.  This will offer significant security benefits in a non-SE environment 
and even better protection with SE Linux.  A compromised MUA would not be 
able to obtain a password list and send it to a hostile party (it would be 
able to proxy access to the POP server and to send copies of all stored 
messages).  Given the incidence of passwords being used for multiple 
functions this would significantly mitigate the risks of MUA based attacks.

The current situation is tending towards having an ever increasing amount of 
the practical system integrity dependant on the integrity of a single user 
account (in which all programs run with the same security context).

Getting upstream support for labelled email is going to be very difficult with 
the current client side security situation.

Now if we could just get web browsers to have their functionality split into 
multiple programs with different security contexts...

-- 
russell at coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development