[redhat-lspp] LSPP Development Telecon 01/15/2007 Minutes

Casey Schaufler casey at schaufler-ca.com
Fri Jan 19 01:02:01 UTC 2007 

--- Paul Moore <paul.moore at hp.com> wrote:

> On Thursday, January 18 2007 7:07 pm, Casey
> Schaufler wrote:
> > --- Klaus Weidner <klaus at atsec.com> wrote:
> > > The current system doesn't specifically support
> > > single label interfaces
> > > without labeled networking.
> >
> > That would imply that all networks are
> > mutilabel with labeled networking.
> 
> I believe that is the assumption for the current
> LSPP evaluations, like it or 
> not.

A single label network is OK provided only
traffic at one label is allowed across it.
That's what we evaluated.

> > > The sshd implementation
> > > does support level
> > > selection when not using labeled networking, but
> > > obviously people will
> > > need to use labeled networking when they expect
> MLS
> > > constraints to be
> > > enforced on their network communication.
> >
> > That is unfortunately not the case. People
> > will expect to hook thier MLS box onto a
> > network with *gasp* Windows boxes, and
> > expect to be able to log into the MLS box
> > from the Windows boxes. If your sshd allows
> > someone to log in at two different labels
> > from the same Windows box I expect that
> > you will have an issue with your evaluators
> > because you have a device (e.g. eth0) that
> > does not enforce MLS policy.
> 
> Well, considering that we assume only labeled
> networks/interfaces then we 
> don't really ever run into this problem

True enough.

> - if a machine is on the network it 
> is sending labeled packets.  If you have unlabeled
> networks you will need to 
> put some sort of guard/barrier/router/firewall in
> place.  I realize this is 
> far from ideal, but I tend to think it's a
> reasonable first step.

Any of which could be used to implement a
single level network interface.

> There are some things this first round of LSPP
> evaluations are not going to 
> cover, but you have to draw the line somewhere
> (there is some old adage about 
> shooting engineers, I can't remember it as I try to
> block it out).  I'm 
> confident we'll get it "right" but it's going to
> take some time.  In the 
> meantime we've still managed to pull something
> together which works, will be 
> (knock on wood) RBAC/LSPP certified, and is somewhat
> useful.

Good plan.

> This stuff ain't easy - you of all people know that
> I'm sure :)

It certainly isn't.


Casey Schaufler
casey at schaufler-ca.com

More information about the redhat-lspp mailing list