[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes
Klaus Weidner
klaus at atsec.com
Thu Jan 18 23:09:59 UTC 2007
On Tue, Jan 16, 2007 at 01:41:18PM -0800, Casey Schaufler wrote:
> Past experience has been that a network
> interface has to be treated as either a
> multi lable device with labeled packets or
> as a single label device. A network
> interface that does not label packets is
> restricted to one and only one label.
> That means that all logins across that
> interface must be restricted to that label
> for an evaluable configuration*. If your
> xinetd and/or sshd allow logins at more
> than one label through an interface that
> does not label packets you will fail in
> your evaluation. If sshd uses the user's
> default MLS value for "unlabeled" networks
> and that is not the label assigned that
> interface your system does not meet the
> LSPP requirements.
That mostly matches with how we're currently handling things.
The current system doesn't specifically support single label interfaces
without labeled networking. The sshd implementation does support level
selection when not using labeled networking, but obviously people will
need to use labeled networking when they expect MLS constraints to be
enforced on their network communication.
-Klaus
More information about the redhat-lspp
mailing list