[redhat-lspp] Xinetd patch
Chad Hanson
chanson at TrustedCS.com
Thu Sep 29 14:19:35 UTC 2005
>
> If you allow xinetd to start services at any
> level/compartment, xinetd is
> basically unconfined.
>
I'm not sure I understand this. The general rule of MLS is that all objects
get created at the existing label. Having xinetd start services at the level
of the incoming connection is a simple extension of this. In a simple
environment you'll have a server with some number of single levels networks
connected to the system through individual ethernet interfaces. The
interface and and hosts are given this label and all communication to server
MLS server must be performed at this level, this would include things such
xinetd, ssh, smtp, etc... In a MLS networking environment, you allow a
connection based on the negotiated label.
To restrict traffic from different labels you have the following options,
restrict the range in which the application (xinetd), change the label of
the application, enforce different iptables rules, extend xinetd service
configuration to understand MLS labels/domains to restrict labels/domains.
-Chad
More information about the redhat-lspp
mailing list