[redhat-lspp] Xinetd patch
Chad Hanson
chanson at TrustedCS.com
Thu Sep 29 14:34:29 UTC 2005
>
> Its common practice to use telnet to connect to services to
> check if they are
> working, for example, ftp or imap. I don't think you really
> want xinetd
> launching things at the originating connection's context.
>
> I think we are better off extending xinetd to understand MLS
> networking.
>
I agree with not using the entire context, but just the MLS label as Stephen
mentioned. It is not feasible or desired to start a secret telnet connection
from an unclassified network obviously..... Also nor should the clearance of
the new session be greater than unclassified. The only ways I can think of
currently to get the MLS label of a connection is a getpeercon or else
querying the policy to the MLS label of the client, the latter won't work in
a trusted networking environment. Adding restrictions into xinetd for MLS
maybe useful.
-Chad
More information about the redhat-lspp
mailing list