--- Paul Moore <[EMAIL PROTECTED]> wrote:
> Casey Schaufler wrote: > > > > --- James Antill <[EMAIL PROTECTED]> wrote: > > > >>On Thu, 2006-10-19 at 09:30 -0400, Stephen Smalley > >>wrote: > >> > >>>That doesn't address sshd though. Or gdm. sshd > >>shouldn't be too difficult. > >> > >> Combined with adding similar code to sshd. > > > > > > Just a heads up, you want to do this, but > > you may not be able to get an evaluation team > > to allow it in an evaluated configuration. > > Okay, I'm curious so I'll bite - why not, what > problems would you expect? I'm talking strictly from an MLS viewpoint here, mind you. If y'all are using TE as a security mechanism in your evaluation you'll have to deal with that as well. Anywho ... If you are treating your network as a single level device and allow logins (e.g. via ssh) at labels other than that configured to the device you are violating the MLS policy on the device. A TopSecret login on a device configured to be Confidential can not be permitted because TopSecret information, such as the command prompt, cannot be sent to the Confidential device. If you are treating the network as a multi level device the communications will take place at a label passed along with (or beside) the packets. Changing the label of the process will prevent it from going out through the established connection. If you could, you'd be able to pass TopSecret information in packets marked Confidential, again a Bad Thing. If you are treating each packet as a labeled entity and the network environment irrelivent and you don't change how the packets are labeled when you change the process label you are not properly labeling them. If you do change the labeling of the packets and let them through anyway you're not enforcing MLS policy. You can treat the network as a device, an import/ export mechanism, or an internal communication mechanism but you can't get away from the fact that when a process changes its MLS properties it can't use the communication channels it was using with the old properties. Unless the communication channels don't enforce policy, in which case your system isn't enforcing MLS policy everywhere required. I understand that this is not the case with TE. I am very curious how domain transitions are going to play out in an evaluation. The process should be educational. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
