[redhat-lspp] What is the preferered way of setting a machines maximum sensitivity?
Casey Schaufler
casey at schaufler-ca.com
Fri Jun 16 20:15:53 UTC 2006
--- Daniel J Walsh <dwalsh at redhat.com> wrote:
> We need to be able to set the maximum login
> sensitivity on a machine in
> such a way that the login programs and
> network aware applications enforce this. How do you
> go about doing this?
In the unix days we addressed this issue
by only allowing logins with MLS labels
that had explicitly defined names. Since
dominance is not strictly heirarchical you
could of course have multiple "maximum"
labels if you (have and) ignore SYSTEM_HIGH.
For example, on Trusted Irix sensitivities of:
secret,alpha,beta
unclassified
would be allowed, where
secret,1,25
36
would not. Details of how the mappings are
done are to be found elsewhere.
Since all sensitivity values that can be
logged into are specified you don't have to
worry about calling out a maximum any
differently.
BTW, this came about because our B1 evaluation
team didn't want to see numeric values on the
T&B labels of printed documents, another issue
y'all may encounter before long.
Casey Schaufler
casey at schaufler-ca.com
More information about the redhat-lspp
mailing list