[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes
Paul Moore
paul.moore at hp.com
Fri Jan 19 00:26:31 UTC 2007
On Thursday, January 18 2007 7:07 pm, Casey Schaufler wrote:
> --- Klaus Weidner <klaus at atsec.com> wrote:
> > The current system doesn't specifically support
> > single label interfaces
> > without labeled networking.
>
> That would imply that all networks are
> mutilabel with labeled networking.
I believe that is the assumption for the current LSPP evaluations, like it or
not.
> > The sshd implementation
> > does support level
> > selection when not using labeled networking, but
> > obviously people will
> > need to use labeled networking when they expect MLS
> > constraints to be
> > enforced on their network communication.
>
> That is unfortunately not the case. People
> will expect to hook thier MLS box onto a
> network with *gasp* Windows boxes, and
> expect to be able to log into the MLS box
> from the Windows boxes. If your sshd allows
> someone to log in at two different labels
> from the same Windows box I expect that
> you will have an issue with your evaluators
> because you have a device (e.g. eth0) that
> does not enforce MLS policy.
Well, considering that we assume only labeled networks/interfaces then we
don't really ever run into this problem - if a machine is on the network it
is sending labeled packets. If you have unlabeled networks you will need to
put some sort of guard/barrier/router/firewall in place. I realize this is
far from ideal, but I tend to think it's a reasonable first step.
There are some things this first round of LSPP evaluations are not going to
cover, but you have to draw the line somewhere (there is some old adage about
shooting engineers, I can't remember it as I try to block it out). I'm
confident we'll get it "right" but it's going to take some time. In the
meantime we've still managed to pull something together which works, will be
(knock on wood) RBAC/LSPP certified, and is somewhat useful.
This stuff ain't easy - you of all people know that I'm sure :)
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list